- From: Ian Fette <ifette@google.com>
- Date: Tue, 11 Sep 2007 14:31:23 -0700
- To: "WSC WG" <public-wsc-wg@w3.org>
Well, although consensus was declared, in subsequent meetings we've been going back and forth about this use case. Two main comments were raised - one is that the use case was too specific re: blacklisting (i.e. supposing the existence of a particular technology or method). This is probably a valid concern and as I said I'm happy to re-write the use case to address that concern. A second concern was seemingly deeper, more fundamental, raised by Tyler in the call and in multiple emails (I don't think I can really re-state it in a way that everyone would agree with, so I will simply say that there were other concerns raised by Tyler and leave it there). At the last meeting (or last-1?) there was a straw poll done to see how people felt about including the use case that has become Issue 101. (This is the malware use-case). It was a bunch of "Yes" and "Don't care"'s with one No. I'd really like to come to a point where we can move on. The original use case proposed was this: Betty tries to connect to a web site at <http://www.example.com/>. She visits this site frequently to read various news and articles. Since her last visit, the site example.com has been compromised by some method, and visitors are now being infected with malware. A blacklist used by her user agent has since listed example.com as a known bad site, what warnings should Betty be presented with? Destination Site - Known, Prior visit Navigation - any Intended interaction - Information retrieval Actual interaction - software installation Note - This is slightly different than use case 19. It still deals with how to present results obtained from reputation services, but in the case of a user returning to a site that they believe to be "good" when that site is now believed to be compromised. I'm happy to change it to the following if it would make people happier: Betty tries to connect to a web site at <http://www.example.com/>. She visits this site frequently to read various news and articles. Since her last visit, the site example.com has been compromised by some method, and visitors are now being infected with malware. At the time of the current request, Betty's user agent now has information saying that example.com is a known bad site. What warnings should Betty be presented with? Destination Site - Known, Prior visit Navigation - any Intended interaction - Information retrieval Actual interaction - software installation Note - This is slightly different than use case 19. It still deals with how to present results obtained from reputation services, but in the case of a user returning to a site that they believe to be "good" when that site is now believed to be compromised. This doesn't specifically mention blacklist, domain reputation services, anything like that - it's just saying that the browser somehow knows it's now a site that if Betty visits, bad things will happen. Do people prefer this new version? Or, more importantly, will this new version change anyone's [tyler] votes? Can we move on? -Ian On 8/24/07, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > > http://www.w3.org/2006/WSC/track/issues/101 > > Over a week. I declare concensus. > > Tyler, please fold in. > > Please also add Ian's name to the acknowledgements. > > Mez > > Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) > Lotus/WPLC Security Strategy and Patent Innovation Architect > >
Received on Tuesday, 11 September 2007 21:31:35 UTC