- From: Mike Beltzner <beltzner@mozilla.com>
- Date: Thu, 10 Jan 2008 14:15:57 -0500
- To: michael.mccormick@wellsfargo.com, "public-wsc-wg@w3.org >> Web Security Context Working Group WG" <public-wsc-wg@w3.org>
michael.mccormick@wellsfargo.com wrote: > I agree. I like the weather analogy. There's no perfect security > indicator. But the more variables an indicator takes into account the > more it approaches the asymptote. The weather analogy is indeed fantastic, because people know what an 80% chance of rain means. What Ian and I are asking - and what nobody has given an answer to, although you've done a great job of continually reshaping the question! - is what does an "80% chance of security" mean to someone? > I guess the alternative would be to throw up our hands and say all > security context indicators are useless. Yes, if we're looking for strawman arguments, that would be great. At no point have I seen anyone say that we shouldn't be listing the various security indicators and their results. All I've been saying is that we should be expressing those in human-consumable terms, and then expressing a human-consumable summary that's actionable. In the weather analogy, it's easy to see what you do if there's an 80% chance of rain: you either wear clothes you don't care about having get wet, or you drive a car, or you don't go for a jog, etc. In the case of our use cases, what I'm saying is that an "80% chance of security" doesn't help as much as saying "Identity Verified" or "This site is insecure", with more details available underneath. What I'm saying is that summating those disparate indicators into a single percentage based score isn't helpful in this application. cheers, mike
Received on Thursday, 10 January 2008 19:16:23 UTC