Re: ISSUE-170: 6.3 Seems more like extension/experimentation than standardization [wsc-xit] from Timothy Hahn on 2008-01-07 (public-wsc-wg@w3.org from January 2008)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Mon, 7 Jan 2008 10:32:12 -0500
To: Web Security Context Working Group WG <public-wsc-wg@w3.org>
Message-ID: <OF42DDB7D0.D6BBFACF-ON852573C9.0053687C-852573C9.00555477@us.ibm.com>

Hi,

>From the "Overview" section of [wsc-xit] ( http://www.w3.org/TR/wsc-xit/ 
), I read this:

"This specification deals with the trust decisions that users must make 
online, and with ways to support them in making safe and informed 
decisions where possible. "

In my opinion, boiling down a bunch of very intricate, security-related 
information, into something that people using user agents are more able to 
comprehend (e.g. some value between 0 and 100, 0 is bad, 100 is good) will 
definitely help them to make a more informed decision.  More informed than 
waiting for these users to understand what constitutes a self-signed 
certificate or whether that certificate is expired or not and what that 
might or might not mean.

I, personally, continue to feel that this recommendation has merit.

Note that I see that there are now two low-fi prototype scoring 
calcuations.  One I proposed to the mailing list last week as well as this 
one - in the wiki:
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScore
I don't think either of them is perfect.  But I think they both serve to 
give us an idea of what such a score would provide to users of user 
agents.

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
To:
public-wsc-wg@w3.org
Date:
01/07/2008 09:59 AM
Subject:
ISSUE-170: 6.3 Seems more like extension/experimentation than 
standardization [wsc-xit]





ISSUE-170: 6.3 Seems more like extension/experimentation than 
standardization [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Johnathan Nightingale
On product: wsc-xit

I continue to feel that this isn't a recommendation we should make.  It 
would be interesting fodder for browser extension developers, but even 
then, our shared bookmarks contain specific research around security 
scoring in primary UI and have found it to be non-helpful in preventing 
attack.  If the intent of this recommendation is not to prevent attack, 
then we should be clear about what the intent *is* because I don't think 
it provides helpful context on its own outside of attack resistance.

Received on Monday, 7 January 2008 15:32:31 UTC