Documenting the status quo

One goal in our Note reads: 

2.1 Document the status quo
The Working Group will catalog existing presentation of security 
information and corresponding user interpretations reported in user 
studies.
Assuming the group agrees, that means it is something the group is willing 
to work on. 

We have a start on security information itself in "Available Security 
Information" of the Note (currently section 7). Which of those are part of 
existing presentation of security information (in web user agents)? My 
runthrough is below. 

On the corresponding user interpretations reported in user studies, I'm 
looking for a volunteer to go through our SharedBookmarks and indicate 
which of those have corresponding user interpretations reported in user 
studies (and of course to add more references in that area, if they know 
of any). Anyone willing to get that aspect going? 

++++++++++++++++++++++++++++++++++++++++++++

HTTP-Auth handshake - for the browser I use, the hostname appears in the 
title area of a dialog box, and the realm as the first line of that dialog 
box (prompting me for username and password). Also, if I have saved my 
username and password in by browsers password saving feature, my username 
is filled in, and some indication of the password as well. (this latter 
should probably be reflected somewhere in section 7, perhaps under 
"provided by user"). 

cookies - I can't think of anything that proactively presents anything 
about cookies as any indicator of a continuing relationship with a site 
(or anything else). I believe I could configure my browser to proactively 
show me cookie information. I no longer do that. 

Has the page completed loading? - the browser I use has a progress 
indicator at the bottom representing something about the percentage 
loading (I'm not sure exactly what each bar is meant to mean, but I hope 
it only fills when it's totally done loading), and an icon in the top 
right hand corner that "waves" a bit while the loading is occuring (I got 
to spend a lot of time staring at both of these lately participating in 
the "flash crowd" to try to get BAM tickets for the McKellan Lear). 

referring page - I don't know of any displays of it 
redirection path - ditto
content-type - ditto 

target URI for a hyperlink or form submission - for hyperlinks, a mouse 
hover over shows the URL in a status area in both the browser and rich 
client I use. The browser I use doesn't seem to show it anywhere for form 
submission.

presence of dynamic content - my browser will prompt me if it's ActiveX 
and I haven't agree to always trust the certificate for stuff like that. 
There seem to be a number of ways I could configure it to prompt me for 
various types of dynamic content. 

Does the content come from multiple domains? - I know of no way I'm 
currently told about this. 

Was the content transmitted using SSL? - for the main page, the URL will 
begin with https if it was. I guess that the lock icon will appear as 
well. If some content is secured this way and some not, there's this extra 
prompt before display. I hear some browsers also change the color of the 
URL display. 

SSL server certificate chain - for most, I think it only tells me when 
things go wrong. Here's what Mozilla does: 
http://www.w3.org/2006/WSC/wiki/NoteMozillaCertificateValidationErrors. 
George couldn't suck it up and post the KDE errors, and no one seems to be 
able to say what IE does. I can also double click on the lock icon, and 
get that information (and so much more). 
certificate authority 
distinguished name 
public key
validity timeframe

extended validation - in IE, it will turn the URL green 
http://www.cabforum.org/certificates.html

Ciphersuite
public key algorithm and key length
symmetric key algorithm and key length
message digest algorithm
CRL 
OSCP 
For all these, if it's not covered in the Mozilla (and other  browser) 
docs, I don't know. Someone will need to find references or do writeups. 

server hostname - somebody said there was a browser that re displayed the 
hostname somewhere. 
server IP address - I don't know of anything 
localhost versus intranet versus internet - I believe my browser displays 
a picture and text in the lower right hand corner. 
DNSSEC - I have no idea

installed certificate authorities - I can bring up a dialog to see them, 
though it's not clear to me how they're differentiated from ones I've 
added myself. Different categories? Different tabs? Geez, I suppose I 
should really know this...
installed search engines - I've got a button that brings it up
default window layout - not sure what should go here. Chrome commentary? 
default bookmarks - I've long forgotten if there were some; I would have 
removed them 
default configuration - not sure what aspects to talk about here 

submitted form values - I don't have anything here
bookmarks - they are in lists I can bring up, either as a menu or as part 
of the window real estate 
browsing history - there are pulldown lists for back, forward, and the url 
display 
installed client certificates - I imagine there's a dialog I can find 
those in. 
installed server certificates - There's a dialog I can find those in. 
How was the URL entered? - no representations of that, afaik
typed into address bar
pasted into address bar
clicked hyperlink
command from another application
user's understanding of his task - hmmmm......
user agent customization - nothing coming to mind 

reputation service - Michael M produced the best writeup I know on that 
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Feb/0081.html
hyperlinks on visited web pages - not sure what we're getting at here; 
perhaps more future looking. 
introductions from friends
search engine results - I search, I see them. I've heard it referred to as 
the "ten blue links" paradigm. 

Received on Tuesday, 6 March 2007 22:33:28 UTC