- From: Ian Fette <ifette@google.com>
- Date: Thu, 10 Jan 2008 11:08:44 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: hahnt@us.ibm.com, public-wsc-wg@w3.org
- Message-ID: <bbeaa26f0801101108q5cf5e722t5b9f43fb20cd0ce3@mail.gmail.com>
I don't know about useless, but I worry a *lot* about giving a false sense of security. There could be a site using DNSSEC and an EV-cert, that is hosted on some crappy shared server that uses a MySQL 3 database and we would give it a 100. That's disturbing to me because it would be very misleading and provide a very false sense of security. On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com> wrote: > I agree. I like the weather analogy. There's no perfect security > indicator. But the more variables an indicator takes into account the more > it approaches the asymptote. > > I guess the alternative would be to throw up our hands and say all > security context indicators are useless. > > ------------------------------ > *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > *On Behalf Of *Timothy Hahn > *Sent:* Thursday, January 10, 2008 12:54 PM > *To:* public-wsc-wg@w3.org > *Subject:* RE: Is the padlock a page security score? > > > Hi all, > > This whole discussion is subjective. What is useful for one person could > very well be useless to someone else. > > An analogy - weather forecasts about the possibility of rain today. Does > such a score indicate whether I will get rained on? No. Does it help me > decide whether or not to wear a hat or carry an umbrella? Yes. There is no > way that people other than meteorologists (and some would argue, even them) > will accurately interpret isobars, cloud patterns, and doppler radar to > determine whether it will rain. But people can get a feeling for the > chances of rain based on a 0-100% estimate. > > I think the same is true for the notion of a page security score. Does it > imply that the user will definitely, without a doubt, not get "taken"? No. > Does it give the user something with which to make a choice? Yes. In this > light, I still feel that page security scores are good things to consider. > > Regards, > Tim Hahn > IBM Distinguished Engineer > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > > From: <michael.mccormick@wellsfargo.com> To: <ifette@google.com>, < > Anil.Saldhana@redhat.com> Cc: Timothy Hahn/Durham/IBM@IBMUS, < > public-wsc-wg@w3.org>, <Mary_Ellen_Zurko@notesdev.ibm.com> Date: 01/10/2008 > 01:34 PM Subject: RE: Is the padlock a page security score? > ------------------------------ > > > > I would ask the same question about a binary indicator. The padlock does > not mean it's safe to enter a credit card. > > ------------------------------ > *From:* Ian Fette [mailto:ifette@google.com <ifette@google.com>] * > Sent:* Thursday, January 10, 2008 12:26 PM* > To:* Anil Saldhana* > Cc:* McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; > Mary_Ellen_Zurko@notesdev.ibm.com* > Subject:* Re: Is the padlock a page security score? > > I still don't understand what anything beyond a binary result is supposed > to tell a user. I'm on a site with "Medium" security - what does that mean? > Does that mean that I should give them my credit card or not? > > On Jan 10, 2008 10:00 AM, Anil Saldhana <*Anil.Saldhana@redhat.com*<Anil.Saldhana@redhat.com>> > wrote: > > Maybe there is an opportunity to associate "High/Medium/Low" or > "Strong/Medium/Low" based on page security score with the padlock. > * > **michael.mccormick@wellsfargo.com* <michael.mccormick@wellsfargo.com>wrote: > > Sure, I agree the padlock is a binary representation of a boolean > security > > score formula based on a single security variable (SSL on main page). A > > degenerate case IMHO - but still technically a page security score. > > > > A security score algorithm should take into account most (if not all) of > the > > variables we enumerated under "What is a Secure Page?" Perhaps the note > > should state that explicitly. Then padlocks wouldn't qualify. > > > > _____ > > > > From: *public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>[mailto: > *public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>] On > > Behalf Of Timothy Hahn > > Sent: Thursday, January 10, 2008 10:40 AM > > To: *public-wsc-wg@w3.org* <public-wsc-wg@w3.org> > > Subject: Re: Is the padlock a page security score? > > > > > > > > Mez, > > > > I'll toss in my view that the padlock is an example of a page security > > score. In most user agents, this seems to be pretty much "binary" (on > or > > off) though I think we've heard from some folks that there are some > > "embellishments" on their display of the icon which would provide more > > gradations based on information received. > > > > On the bright side of such a visible item - it is relatively easy to > > describe and for people to grasp the meaning of. > > > > On the down side of the padlock - ... well, we've had lots of that > > discussion on this list already - see the archives. > > > > Regards, > > Tim Hahn > > IBM Distinguished Engineer > > > > Internet: *hahnt@us.ibm.com* <hahnt@us.ibm.com> > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > phone: 919.224.1565 tie-line: 8/687.1565 > > fax: 919.224.2530 > > > > > > > > > > From: "Mary Ellen Zurko" <*Mary_Ellen_Zurko@notesdev.ibm.com*<Mary_Ellen_Zurko@notesdev.ibm.com> > > > > > > To: *public-wsc-wg@w3.org* <public-wsc-wg@w3.org> > > > > Date: 01/10/2008 11:10 AM > > > > Subject: Is the padlock a page security score? > > > > _____ > > > > > > > > > > > > If not, why not? > > > > Mez > > > > > > > > > > > > -- > Anil Saldhana > Project/Technical Lead, > JBoss Security & Identity Management > JBoss, A division of Red Hat Inc.* > **http://labs.jboss.com/portal/jbosssecurity/*<http://labs.jboss.com/portal/jbosssecurity/> > > > >
Received on Thursday, 10 January 2008 19:09:04 UTC