RE: ISSUE-69: New goal--Reduce the number of scenarios in which users\' security depends upon authenticating sites

These are good points

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Serge Egelman
Sent: Tuesday, May 01, 2007 11:03 PM
To: Mary Ellen Zurko
Cc: Web Security Context WG
Subject: Re: ISSUE-69: New goal--Reduce the number of scenarios in which
users\' security depends upon authenticating sites


This actually reminds me of something I've been thinking about for a few
weeks now:  there are certain situations where the user needs to make a
decision.  I think it would be interesting to create a taxonomy of
situations where user decisions are required.  Of all the ones I can
currently think of, they all appear to fit under "policy decision."  For
instance, setting access permissions, determining whether the
destination site really matches the destination intended, etc.

Maybe this should be an action item?

serge

Mary Ellen Zurko wrote:
> 
> I like the idea of having a goal in this space. I'd like to propose an
> alternative wording that is more in line with the wording of our
> charter. So I'm sure Stuart will like it less, because it is more
> abstract and opaque.
> 
>    Title:   "Reduce the number of scenarios in which users need to make
> trust decisions."
>    Content: "No matter how well security context information is
> presented, there
> will always be users who, in some situations, will behave insecurely even
in
> the face of harsh warnings.  Thus, the working group will also recommend
> ways to reduce the number of situations in which users need to make
> trust decisions."
> 
> 
> 
>           Mez
> 
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
> 
> 
> 
> *Web Security Context Issue Tracker <dean+cgi@w3.org>*
> Sent by: public-wsc-wg-request@w3.org
> 
> 04/25/2007 10:38 AM
> Please respond to
> Web Security Context WG <public-wsc-wg@w3.org>
> 
> 
> 	
> To
> 	public-wsc-wg@w3.org
> cc
> 	
> Subject
> 	ISSUE-69: New goal--Reduce the number of scenarios in which users\'
> security depends upon authenticating sites
> 
> 
> 	
> 
> 
> 
> 
> 
> 
> 
> ISSUE-69: New goal--Reduce the number of scenarios in which users'
> security depends upon authenticating sites
> 
> http://www.w3.org/2006/WSC/Group/track/issues/69
> 
> Raised by: Stuart Schechter
> On product: Note: use cases etc.
> 
> Looking at the goals in Section 2 of the note, I don't see how password
> managers, which reduce the likelihood that a user will enter a password
into
> an impersonation site, would fit into our goals.  MeZ tells me that she
> believes there is a rough consensus that are inline with our goals.
Stuart
> proposes a new goal between 2.5 and 2.6:
> 
>   Title:   "Reduce the number of scenarios in which users' security
depends
> on their ability to authenticating a site"
>   Content: "No matter how well security information is presented, there
> will always be users who, in some situations, will behave insecurely even
in
> the face of harsh warnings.  Thus, the working group will also recommend
> ways to reduce the number of situations in which users' security will be
> compromised if they fail to recognize an impersonation attack or other
> security failure."
> 
> 
> 
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Wednesday, 2 May 2007 10:29:21 UTC