Re: Is the padlock a page security score?

We talk a lot about "trust decisions", and this seems like a very nebulous
term to me. I would really like to go back to use cases. The use cases I can
think of are primarily:

a) creating a non commerce account (e.g. a slashdot account, a facebook
account etc)

b) creating a commerce account or a commerce transaction

for a) I can see where this might possibly be useful, but I'm definitely not
convinced. For instance, for facebook I'm much more worried about them
getting hacked, or about some XSS/CSRF attack than I am about a MITM attack.

for b) I really don't think a score would be helpful to me.

-Ian

On Jan 10, 2008 10:39 AM, <michael.mccormick@wellsfargo.com> wrote:

>
> I agree.  But the more variables the security indicator takes into
> account, the more helpful it becomes for users making trust decisions.
>
> -----Original Message-----
> From: Mike Beltzner [mailto:beltzner@mozilla.com]
> Sent: Thursday, January 10, 2008 12:35 PM
> To: McCormick, Mike
> Cc: ifette@google.com; Anil.Saldhana@redhat.com; hahnt@us.ibm.com;
> public-wsc-wg@w3.org; Mary_Ellen_Zurko@notesdev.ibm.com
> Subject: Re: Is the padlock a page security score?
>
> michael.mccormick@wellsfargo.com wrote:
> > I would ask the same question about a binary indicator.  The padlock
> > does not mean it's safe to enter a credit card.
>
> That is a problem with what the padlock indicates, not with the fact
> that it's a binary indicator. There is nothing that we can ever do to
> assure that it's "safe" to enter a credit card number - even if we can
> verify the identity of the endpoint, and the encryption on the wire, and
> that the endpoint has a BBB rating, it's entirely possible that there's
> someone who's installed a backdoor to their database system.
>
> cheers,
> mike
>
>
>