RE: Is the padlock a page security score? from michael.mccormick@wellsfargo.com on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 10 Jan 2008 12:41:10 -0600
To: <ifette@google.com>
Cc: <Anil.Saldhana@redhat.com>, <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>, <Mary_Ellen_Zurko@notesdev.ibm.com>
Message-ID: <9D471E876696BE4DA103E939AE64164DB4330E@msgswbmnmsp17.wellsfargo.com>
I agree. But the more variables the security indicator takes into
account, the more helpful it becomes for users making trust decisions. 


  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Thursday, January 10, 2008 12:37 PM
To: McCormick, Mike
Cc: Anil.Saldhana@redhat.com; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: Re: Is the padlock a page security score?


No, but quite frankly neither does any of the information we've talked
about in the page security scoring. The reality is that you have no idea
if when you post the form it just sends stuff off to orders@somesite.com
via email, if it's stored in a MySQL database with the default root
password, if it's a shared server where root is not locked down - all of
this worries me much more than whether it's EV-SSL, using DNSSEC, etc.
The reality is that Visa and MasterCard have guidelines for how
merchants should handle customer data, and that's about the only thing
that I would really care about as a customer. However, I have no way of
verifying that said guidelines are being followed, but I have very
little risk anyways because I can just call US Bank and tell them that
someone is making fraudulent charges against my Northwest WorldPerks
Visa Signature card and they're going to take care of me. 

So, I guess my point is that I really don't understand the end goal
here. I thought we wanted to get to the point where someone could
determine whether or not it was safe to make an e-commerce transaction
at a site, but frankly I don't really know that I find the information
we have to be sufficient to actually answer that in a satisfactory
manner. 

-Ian


On Jan 10, 2008 10:31 AM, <michael.mccormick@wellsfargo.com> wrote:


	I would ask the same question about a binary indicator.  The
padlock does not mean it's safe to enter a credit card.

  _____  

	From: Ian Fette [mailto:ifette@google.com] 
	Sent: Thursday, January 10, 2008 12:26 PM
	To: Anil Saldhana
	Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com 

	Subject: Re: Is the padlock a page security score?
	

	I still don't understand what anything beyond a binary result is
supposed to tell a user. I'm on a site with "Medium" security - what
does that mean? Does that mean that I should give them my credit card or
not? 
	
	
	On Jan 10, 2008 10:00 AM, Anil Saldhana
<Anil.Saldhana@redhat.com> wrote:
	


		Maybe there is an opportunity to associate
"High/Medium/Low" or
		"Strong/Medium/Low" based on page security score with
the padlock.
		

		michael.mccormick@wellsfargo.com wrote:
		> Sure, I agree the padlock is a binary representation
of a boolean security
		> score formula based on a single security variable (SSL
on main page).  A
		> degenerate case IMHO - but still technically a page
security score. 
		>
		> A security score algorithm should take into account
most (if not all) of the
		> variables we enumerated under "What is a Secure Page?"
Perhaps the note
		> should state that explicitly.  Then padlocks wouldn't
qualify. 
		>
		>   _____
		>
		> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On
		> Behalf Of Timothy Hahn 
		> Sent: Thursday, January 10, 2008 10:40 AM
		> To: public-wsc-wg@w3.org
		> Subject: Re: Is the padlock a page security score?
		>
		>
		>
		> Mez, 
		>
		> I'll toss in my view that the padlock is an example of
a page security
		> score.  In most user agents, this seems to be pretty
much "binary" (on or
		> off) though I think we've heard from some folks that
there are some 
		> "embellishments" on their display of the icon which
would provide more
		> gradations based on information received.
		>
		> On the bright side of such a visible item - it is
relatively easy to 
		> describe and for people to grasp the meaning of.
		>
		> On the down side of the padlock -  ... well, we've had
lots of that
		> discussion on this list already - see the archives.
		>
		> Regards, 
		> Tim Hahn
		> IBM Distinguished Engineer
		>
		> Internet: hahnt@us.ibm.com
		> Internal: Timothy Hahn/Durham/IBM@IBMUS
		> phone: 919.224.1565     tie-line: 8/687.1565 
		> fax: 919.224.2530
		>
		>
		>
		>
		> From:         "Mary Ellen Zurko"
<Mary_Ellen_Zurko@notesdev.ibm.com>
		>
		> To:   public-wsc-wg@w3.org
		>
		> Date:         01/10/2008 11:10 AM
		>
		> Subject:      Is the padlock a page security score?
		>
		>   _____
		>
		>
		>
		>
		>
		> If not, why not?
		>
		>          Mez
		>
		>
		>
		>
		>
		
		
		--
		Anil Saldhana
		Project/Technical Lead,
		JBoss Security & Identity Management 
		JBoss, A division of Red Hat Inc.
		http://labs.jboss.com/portal/jbosssecurity/
Received on Thursday, 10 January 2008 18:42:41 UTC