Re: Is the padlock a page security score? from Anil Saldhana on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Thu, 10 Jan 2008 13:17:46 -0600
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <47866F5A.9030005@redhat.com>
Right on the point, Tim.

We have a tendency to quote personal experiences/behavior to equate it 
to the general behavior of the masses. A security indicator to one does 
not mean an indicator to everyone.

WG has had discussions that the padlock is not sufficient to ensure a 
secure behavior.  Hence page security score, ev cert bar etc etc. :)

Timothy Hahn wrote:
> Hi all,
> 
> This whole discussion is subjective.  What is useful for one person could 
> very well be useless to someone else.
> 
> An analogy - weather forecasts about the possibility of rain today.  Does 
> such a score indicate whether I will get rained on?  No.  Does it help me 
> decide whether or not to wear a hat or carry an umbrella?  Yes.  There is 
> no way that people other than meteorologists (and some would argue, even 
> them) will accurately interpret isobars, cloud patterns, and doppler radar 
> to determine whether it will rain.  But people can get a feeling for the 
> chances of rain based on a 0-100% estimate.
> 
> I think the same is true for the notion of a page security score.  Does it 
> imply that the user will definitely, without a doubt, not get "taken"? No. 
>  Does it give the user something with which to make a choice?  Yes.  In 
> this light, I still feel that page security scores are good things to 
> consider.
> 
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
> 
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
> 
> 
> 
> 
> From:
> <michael.mccormick@wellsfargo.com>
> To:
> <ifette@google.com>, <Anil.Saldhana@redhat.com>
> Cc:
> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, 
> <Mary_Ellen_Zurko@notesdev.ibm.com>
> Date:
> 01/10/2008 01:34 PM
> Subject:
> RE: Is the padlock a page security score?
> 
> 
> 
> I would ask the same question about a binary indicator.  The padlock does 
> not mean it's safe to enter a credit card.
> 
> From: Ian Fette [mailto:ifette@google.com] 
> Sent: Thursday, January 10, 2008 12:26 PM
> To: Anil Saldhana
> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; 
> Mary_Ellen_Zurko@notesdev.ibm.com
> Subject: Re: Is the padlock a page security score?
> 
> I still don't understand what anything beyond a binary result is supposed 
> to tell a user. I'm on a site with "Medium" security - what does that 
> mean? Does that mean that I should give them my credit card or not? 
> 
> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote:
> 
> Maybe there is an opportunity to associate "High/Medium/Low" or
> "Strong/Medium/Low" based on page security score with the padlock.
> 
> michael.mccormick@wellsfargo.com wrote:
>> Sure, I agree the padlock is a binary representation of a boolean 
> security
>> score formula based on a single security variable (SSL on main page).  A
>> degenerate case IMHO - but still technically a page security score. 
>>
>> A security score algorithm should take into account most (if not all) of 
> the
>> variables we enumerated under "What is a Secure Page?"  Perhaps the note
>> should state that explicitly.  Then padlocks wouldn't qualify. 
>>
>>   _____
>>
>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
> On
>> Behalf Of Timothy Hahn 
>> Sent: Thursday, January 10, 2008 10:40 AM
>> To: public-wsc-wg@w3.org
>> Subject: Re: Is the padlock a page security score?
>>
>>
>>
>> Mez, 
>>
>> I'll toss in my view that the padlock is an example of a page security
>> score.  In most user agents, this seems to be pretty much "binary" (on 
> or
>> off) though I think we've heard from some folks that there are some 
>> "embellishments" on their display of the icon which would provide more
>> gradations based on information received.
>>
>> On the bright side of such a visible item - it is relatively easy to 
>> describe and for people to grasp the meaning of.
>>
>> On the down side of the padlock -  ... well, we've had lots of that
>> discussion on this list already - see the archives.
>>
>> Regards, 
>> Tim Hahn
>> IBM Distinguished Engineer
>>
>> Internet: hahnt@us.ibm.com
>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>> phone: 919.224.1565     tie-line: 8/687.1565 
>> fax: 919.224.2530
>>
>>
>>
>>
>> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>>
>> To:   public-wsc-wg@w3.org
>>
>> Date:         01/10/2008 11:10 AM
>>
>> Subject:      Is the padlock a page security score?
>>
>>   _____
>>
>>
>>
>>
>>
>> If not, why not?
>>
>>          Mez
>>
>>
>>
>>
>>
> 
> --
> Anil Saldhana
> Project/Technical Lead,
> JBoss Security & Identity Management 
> JBoss, A division of Red Hat Inc.
> http://labs.jboss.com/portal/jbosssecurity/
> 
> 
> 
> 

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/
Received on Thursday, 10 January 2008 19:18:03 UTC