RE: Documenting the status quo from Doyle, Bill on 2007-03-08 (public-wsc-wg@w3.org from March 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Thu, 8 Mar 2007 08:13:51 -0500
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B58015610FF@IMCSRV5.MITRE.ORG>
MEZ,
 
We have status quo and we have opened up new context that needs to be
added. Discussion took place about the  Robustness of authentication
mechanism,or  type of authentication being security context and we need
to build out the types of authentication mechanism listed e.g.
personalized shared secrets for lack of a better term. Not sure how
this update process works.
 
Bill D
 


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Tuesday, March 06, 2007 5:33 PM
	To: public-wsc-wg@w3.org
	Subject: Documenting the status quo 
	
	

	One goal in our Note reads: 
	
	2.1 Document the status quo 

	The Working Group will catalog existing presentation of
security information and corresponding user interpretations reported in
user studies. 

	Assuming the group agrees, that means it is something the group
is willing to work on. 
	
	We have a start on security information itself in "Available
Security Information" of the Note (currently section 7). Which of those
are part of existing presentation of security information (in web user
agents)? My runthrough is below. 
	
	On the corresponding user interpretations reported in user
studies, I'm looking for a volunteer to go through our SharedBookmarks
and indicate which of those have corresponding user interpretations
reported in user studies (and of course to add more references in that
area, if they know of any). Anyone willing to get that aspect going? 
	
	++++++++++++++++++++++++++++++++++++++++++++
	
	HTTP-Auth handshake - for the browser I use, the hostname
appears in the title area of a dialog box, and the realm as the first
line of that dialog box (prompting me for username and password). Also,
if I have saved my username and password in by browsers password saving
feature, my username is filled in, and some indication of the password
as well. (this latter should probably be reflected somewhere in section
7, perhaps under "provided by user"). 
	
	cookies - I can't think of anything that proactively presents
anything about cookies as any indicator of a continuing relationship
with a site (or anything else). I believe I could configure my browser
to proactively show me cookie information. I no longer do that. 
	
	Has the page completed loading?- the browser I use has a
progress indicator at the bottom representing something about the
percentage loading (I'm not sure exactly what each bar is meant to
mean, but I hope it only fills when it's totally done loading), and an
icon in the top right hand corner that "waves" a bit while the loading
is occuring (I got to spend a lot of time staring at both of these
lately participating in the "flash crowd" to try to get BAM tickets for
the McKellan Lear). 
	
	referring page - I don't know of any displays of it 
	redirection path - ditto
	content-type - ditto 
	
	target URI for a hyperlink or form submission - for hyperlinks,
a mouse hover over shows the URL in a status area in both the browser
and rich client I use. The browser I use doesn't seem to show it
anywhere for form submission.
	
	presence of dynamic content - my browser will prompt me if it's
ActiveX and I haven't agree to always trust the certificate for stuff
like that. There seem to be a number of ways I could configure it to
prompt me for various types of dynamic content. 
	
	Does the content come from multiple domains? - I know of no way
I'm currently told about this. 
	
	Was the content transmitted using SSL? - for the main page, the
URL will begin with https if it was. I guess that the lock icon will
appear as well. If some content is secured this way and some not,
there's this extra prompt before display. I hear some browsers also
change the color of the URL display. 
	
	SSL server certificate chain
<http://www.w3.org/2006/WSC/drafts/note/#pkix> - for most, I think it
only tells me when things go wrong. Here's what Mozilla does:
http://www.w3.org/2006/WSC/wiki/NoteMozillaCertificateValidationErrors.
George couldn't suck it up and post the KDE errors, and no one seems to
be able to say what IE does. I can also double click on the lock icon,
and get that information (and so much more). 
	certificate authority 
	distinguished name  
	public key
	validity timeframe
	
	extended validation - in IE, it will turn the URL green
http://www.cabforum.org/certificates.html
	
	Ciphersuite
	public key algorithm and key length
	symmetric key algorithm and key length
	message digest algorithm
	CRL 
	OSCP <http://www.w3.org/2006/WSC/drafts/note/#ocsp> 
	For all these, if it's not covered in the Mozilla (and other
browser) docs, I don't know. Someone will need to find references or do
writeups. 
	
	server hostname - somebody said there was a browser that re
displayed the hostname somewhere. 
	server IP address - I don't know of anything 
	localhost versus intranet versus internet - I believe my
browser displays a picture and text in the lower right hand corner. 
	DNSSEC <http://www.w3.org/2006/WSC/drafts/note/#dnssec> - I
have no idea
	
	installed certificate authorities - I can bring up a dialog to
see them, though it's not clear to me how they're differentiated from
ones I've added myself. Different categories? Different tabs? Geez, I
suppose I should really know this...
	installed search engines - I've got a button that brings it up
	default window layout - not sure what should go here. Chrome
commentary? 
	default bookmarks - I've long forgotten if there were some; I
would have removed them 
	default configuration - not sure what aspects to talk about
here 
	
	submitted form values - I don't have anything here
	bookmarks - they are in lists I can bring up, either as a menu
or as part of the window real estate 
	browsing history - there are pulldown lists for back, forward,
and the url display 
	installed client certificates - I imagine there's a dialog I
can find those in. 
	installed server certificates - There's a dialog I can find
those in. 
	How was the URL entered? - no representations of that, afaik
	typed into address bar
	pasted into address bar
	clicked hyperlink
	command from another application
	user's understanding of his task - hmmmm......
	user agent customization - nothing coming to mind 
	
	reputation service - Michael M produced the best writeup I know
on that
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Feb/0081.html
	hyperlinks on visited web pages - not sure what we're getting
at here;  perhaps more future looking. 
	introductions from friends
	search engine results - I search, I see them. I've heard it
referred to as the "ten blue links" paradigm.
Received on Thursday, 8 March 2007 13:14:07 UTC