RE: Is the padlock a page security score? from Dan Schutzer on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 10 Jan 2008 14:09:07 -0500
To: <michael.mccormick@wellsfargo.com>, <ifette@google.com>
Cc: <Anil.Saldhana@redhat.com>, <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>, <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <020601c853bc$54687cb0$6500a8c0@dschutzer>
I agree that the trust decision is multi varied; it concerns, at a minimum,
the confidence you know who you are interacting with; the confidence you
have that the communications is private and confidential between the parties
and out of the hands of lurking man-in-the-middle/hijacking attacks; and the
confidence you have in the party you are interacting with regarding their
integrity and trustworthiness in keeping confidential data safe and secure.
Representing these various dimensions may well require more than a single
number

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of michael.mccormick@wellsfargo.com
Sent: Thursday, January 10, 2008 1:41 PM
To: ifette@google.com
Cc: Anil.Saldhana@redhat.com; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: RE: Is the padlock a page security score?

 

I agree. But the more variables the security indicator takes into account,
the more helpful it becomes for users making trust decisions. 

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Thursday, January 10, 2008 12:37 PM
To: McCormick, Mike
Cc: Anil.Saldhana@redhat.com; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: Re: Is the padlock a page security score?

No, but quite frankly neither does any of the information we've talked about
in the page security scoring. The reality is that you have no idea if when
you post the form it just sends stuff off to orders@somesite.com via email,
if it's stored in a MySQL database with the default root password, if it's a
shared server where root is not locked down - all of this worries me much
more than whether it's EV-SSL, using DNSSEC, etc. The reality is that Visa
and MasterCard have guidelines for how merchants should handle customer
data, and that's about the only thing that I would really care about as a
customer. However, I have no way of verifying that said guidelines are being
followed, but I have very little risk anyways because I can just call US
Bank and tell them that someone is making fraudulent charges against my
Northwest WorldPerks Visa Signature card and they're going to take care of
me. 

So, I guess my point is that I really don't understand the end goal here. I
thought we wanted to get to the point where someone could determine whether
or not it was safe to make an e-commerce transaction at a site, but frankly
I don't really know that I find the information we have to be sufficient to
actually answer that in a satisfactory manner. 

-Ian

On Jan 10, 2008 10:31 AM, <michael.mccormick@wellsfargo.com> wrote:

I would ask the same question about a binary indicator.  The padlock does
not mean it's safe to enter a credit card.

 

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Thursday, January 10, 2008 12:26 PM
To: Anil Saldhana
Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com 


Subject: Re: Is the padlock a page security score?

 

I still don't understand what anything beyond a binary result is supposed to
tell a user. I'm on a site with "Medium" security - what does that mean?
Does that mean that I should give them my credit card or not? 

On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote:


Maybe there is an opportunity to associate "High/Medium/Low" or
"Strong/Medium/Low" based on page security score with the padlock.


michael.mccormick@wellsfargo.com wrote:
> Sure, I agree the padlock is a binary representation of a boolean security
> score formula based on a single security variable (SSL on main page).  A
> degenerate case IMHO - but still technically a page security score. 
>
> A security score algorithm should take into account most (if not all) of
the
> variables we enumerated under "What is a Secure Page?"  Perhaps the note
> should state that explicitly.  Then padlocks wouldn't qualify. 
>
>   _____
>
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On
> Behalf Of Timothy Hahn 
> Sent: Thursday, January 10, 2008 10:40 AM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
>
>
>
> Mez, 
>
> I'll toss in my view that the padlock is an example of a page security
> score.  In most user agents, this seems to be pretty much "binary" (on or
> off) though I think we've heard from some folks that there are some 
> "embellishments" on their display of the icon which would provide more
> gradations based on information received.
>
> On the bright side of such a visible item - it is relatively easy to 
> describe and for people to grasp the meaning of.
>
> On the down side of the padlock -  ... well, we've had lots of that
> discussion on this list already - see the archives.
>
> Regards, 
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565 
> fax: 919.224.2530
>
>
>
>
> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>
> To:   public-wsc-wg@w3.org
>
> Date:         01/10/2008 11:10 AM
>
> Subject:      Is the padlock a page security score?
>
>   _____
>
>
>
>
>
> If not, why not?
>
>          Mez
>
>
>
>
>

--
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management 
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/
Received on Thursday, 10 January 2008 19:16:37 UTC