- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Thu, 8 Mar 2007 08:13:51 -0500
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B58015610FF@IMCSRV5.MITRE.ORG>
MEZ, We have status quo and we have opened up new context that needs to be added. Discussion took place about the Robustness of authentication mechanism,or type of authentication being security context and we need to build out the types of authentication mechanism listed e.g. personalized shared secrets for lack of a better term. Not sure how this update process works. Bill D ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Tuesday, March 06, 2007 5:33 PM To: public-wsc-wg@w3.org Subject: Documenting the status quo One goal in our Note reads: 2.1 Document the status quo The Working Group will catalog existing presentation of security information and corresponding user interpretations reported in user studies. Assuming the group agrees, that means it is something the group is willing to work on. We have a start on security information itself in "Available Security Information" of the Note (currently section 7). Which of those are part of existing presentation of security information (in web user agents)? My runthrough is below. On the corresponding user interpretations reported in user studies, I'm looking for a volunteer to go through our SharedBookmarks and indicate which of those have corresponding user interpretations reported in user studies (and of course to add more references in that area, if they know of any). Anyone willing to get that aspect going? ++++++++++++++++++++++++++++++++++++++++++++ HTTP-Auth handshake - for the browser I use, the hostname appears in the title area of a dialog box, and the realm as the first line of that dialog box (prompting me for username and password). Also, if I have saved my username and password in by browsers password saving feature, my username is filled in, and some indication of the password as well. (this latter should probably be reflected somewhere in section 7, perhaps under "provided by user"). cookies - I can't think of anything that proactively presents anything about cookies as any indicator of a continuing relationship with a site (or anything else). I believe I could configure my browser to proactively show me cookie information. I no longer do that. Has the page completed loading?- the browser I use has a progress indicator at the bottom representing something about the percentage loading (I'm not sure exactly what each bar is meant to mean, but I hope it only fills when it's totally done loading), and an icon in the top right hand corner that "waves" a bit while the loading is occuring (I got to spend a lot of time staring at both of these lately participating in the "flash crowd" to try to get BAM tickets for the McKellan Lear). referring page - I don't know of any displays of it redirection path - ditto content-type - ditto target URI for a hyperlink or form submission - for hyperlinks, a mouse hover over shows the URL in a status area in both the browser and rich client I use. The browser I use doesn't seem to show it anywhere for form submission. presence of dynamic content - my browser will prompt me if it's ActiveX and I haven't agree to always trust the certificate for stuff like that. There seem to be a number of ways I could configure it to prompt me for various types of dynamic content. Does the content come from multiple domains? - I know of no way I'm currently told about this. Was the content transmitted using SSL? - for the main page, the URL will begin with https if it was. I guess that the lock icon will appear as well. If some content is secured this way and some not, there's this extra prompt before display. I hear some browsers also change the color of the URL display. SSL server certificate chain <http://www.w3.org/2006/WSC/drafts/note/#pkix> - for most, I think it only tells me when things go wrong. Here's what Mozilla does: http://www.w3.org/2006/WSC/wiki/NoteMozillaCertificateValidationErrors. George couldn't suck it up and post the KDE errors, and no one seems to be able to say what IE does. I can also double click on the lock icon, and get that information (and so much more). certificate authority distinguished name public key validity timeframe extended validation - in IE, it will turn the URL green http://www.cabforum.org/certificates.html Ciphersuite public key algorithm and key length symmetric key algorithm and key length message digest algorithm CRL OSCP <http://www.w3.org/2006/WSC/drafts/note/#ocsp> For all these, if it's not covered in the Mozilla (and other browser) docs, I don't know. Someone will need to find references or do writeups. server hostname - somebody said there was a browser that re displayed the hostname somewhere. server IP address - I don't know of anything localhost versus intranet versus internet - I believe my browser displays a picture and text in the lower right hand corner. DNSSEC <http://www.w3.org/2006/WSC/drafts/note/#dnssec> - I have no idea installed certificate authorities - I can bring up a dialog to see them, though it's not clear to me how they're differentiated from ones I've added myself. Different categories? Different tabs? Geez, I suppose I should really know this... installed search engines - I've got a button that brings it up default window layout - not sure what should go here. Chrome commentary? default bookmarks - I've long forgotten if there were some; I would have removed them default configuration - not sure what aspects to talk about here submitted form values - I don't have anything here bookmarks - they are in lists I can bring up, either as a menu or as part of the window real estate browsing history - there are pulldown lists for back, forward, and the url display installed client certificates - I imagine there's a dialog I can find those in. installed server certificates - There's a dialog I can find those in. How was the URL entered? - no representations of that, afaik typed into address bar pasted into address bar clicked hyperlink command from another application user's understanding of his task - hmmmm...... user agent customization - nothing coming to mind reputation service - Michael M produced the best writeup I know on that http://lists.w3.org/Archives/Public/public-wsc-wg/2007Feb/0081.html hyperlinks on visited web pages - not sure what we're getting at here; perhaps more future looking. introductions from friends search engine results - I search, I see them. I've heard it referred to as the "ten blue links" paradigm.
Received on Thursday, 8 March 2007 13:14:07 UTC