- From: Anil Saldhana <Anil.Saldhana@redhat.com>
- Date: Thu, 10 Jan 2008 13:57:43 -0600
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
I understand the "over-13" and hide the birthday in profile. The question I have for them is why not - "Are you over 13?" and - gives us the day and month of birth. I do not think Orkut does (year of birth). So they are ok. Ian Fette wrote: > I think part of it is to verify that you are over 13, but the other part is > probably because people want to know when their friends' birthdays are > coming up. You can choose to hide your birthday in your profile. > > On Jan 10, 2008 11:49 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote: > >> Bob and Bill, I think what the application does from security/privacy >> perspective is beyond the control of the UA. >> >> I am still trying to understand completely why Facebook wants "date of >> birth" during registration and prominently displays it in personal >> profile. >> >> Robert Yonaitis wrote: >>> Just forwarding this one for bill as it seems his posts from the last >>> few times have not gone through >>> >>> cheers >>> -----Original Message----- >>> From: William Eburn >>> Sent: Thursday, January 10, 2008 2:33 PM >>> To: 'Anil Saldhana'; public-wsc-wg@w3.org >>> Subject: RE: Is the padlock a page security score? >>> >>> Hello all, >>> >>> As you may know, HiSoftware has content and application testing tools >>> around privacy, security, accessibility, general content quality, >>> corporate branding, and several factors of site quality. >>> >>> I am concerned that if we give some de facto score but do not consider >>> the content or application, then would I not as a user of the browser >>> that gave me the information have the right to sue their corporation if >>> I went to a site, the score said 90% reliable and I entered all my PII >>> and the next user saw that it was 90% secure -- knew that the scoring >>> system was flawed because it didn't consider the content, or the >>> application and in this case used a simple SQL Injection to grab all the >>> PII out of the system (including mine), then opened multiple bank >>> accounts, got car loans, and did whatever, causing me great harm. While >>> it's true I was able to cancel the charges as being fraudulent, it took >>> over a year to do so. Would the company that provided the page score be >>> responsible in a court of law? >>> >>> Please note, this would be different depending on which country you were >>> in. >>> >>> I think, from our perspective the education of the user to the state of >>> the different security indicators is important but for us to assign any >>> value judgment on them would at best, be foolish. Immediately we could >>> never assign 100%, because as part of the working group we've already >>> said that we aren't examining the content or application being viewed by >>> the user agent. So it would be my vote to eliminate the idea of a page >>> score entirely. What I'm suggesting is that we show them the >>> information, educate the user as to what it means, but assign no value. >>> >>> This is just my two cents on the page score topic. >>> >>> Thanks, >>> Bill >>> >>> >>> -----Original Message----- >>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] >>> On Behalf Of Anil Saldhana >>> Sent: Thursday, January 10, 2008 2:18 PM >>> To: public-wsc-wg@w3.org >>> Subject: Re: Is the padlock a page security score? >>> >>> >>> Right on the point, Tim. >>> >>> We have a tendency to quote personal experiences/behavior to equate it >>> to the general behavior of the masses. A security indicator to one does >>> not mean an indicator to everyone. >>> >>> WG has had discussions that the padlock is not sufficient to ensure a >>> secure behavior. Hence page security score, ev cert bar etc etc. :) >>> >>> Timothy Hahn wrote: >>>> Hi all, >>>> >>>> This whole discussion is subjective. What is useful for one person >>> could >>>> very well be useless to someone else. >>>> >>>> An analogy - weather forecasts about the possibility of rain today. >>> Does >>>> such a score indicate whether I will get rained on? No. Does it help >>> me >>>> decide whether or not to wear a hat or carry an umbrella? Yes. There >>> is >>>> no way that people other than meteorologists (and some would argue, >>> even >>>> them) will accurately interpret isobars, cloud patterns, and doppler >>> radar >>>> to determine whether it will rain. But people can get a feeling for >>> the >>>> chances of rain based on a 0-100% estimate. >>>> >>>> I think the same is true for the notion of a page security score. >>> Does it >>>> imply that the user will definitely, without a doubt, not get "taken"? >>> No. >>>> Does it give the user something with which to make a choice? Yes. >>> In >>>> this light, I still feel that page security scores are good things to >>>> consider. >>>> >>>> Regards, >>>> Tim Hahn >>>> IBM Distinguished Engineer >>>> >>>> Internet: hahnt@us.ibm.com >>>> Internal: Timothy Hahn/Durham/IBM@IBMUS >>>> phone: 919.224.1565 tie-line: 8/687.1565 >>>> fax: 919.224.2530 >>>> >>>> >>>> >>>> >>>> From: >>>> <michael.mccormick@wellsfargo.com> >>>> To: >>>> <ifette@google.com>, <Anil.Saldhana@redhat.com> >>>> Cc: >>>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, >>>> <Mary_Ellen_Zurko@notesdev.ibm.com> >>>> Date: >>>> 01/10/2008 01:34 PM >>>> Subject: >>>> RE: Is the padlock a page security score? >>>> >>>> >>>> >>>> I would ask the same question about a binary indicator. The padlock >>> does >>>> not mean it's safe to enter a credit card. >>>> >>>> From: Ian Fette [mailto:ifette@google.com] >>>> Sent: Thursday, January 10, 2008 12:26 PM >>>> To: Anil Saldhana >>>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; >>>> Mary_Ellen_Zurko@notesdev.ibm.com >>>> Subject: Re: Is the padlock a page security score? >>>> >>>> I still don't understand what anything beyond a binary result is >>> supposed >>>> to tell a user. I'm on a site with "Medium" security - what does that >>>> mean? Does that mean that I should give them my credit card or not? >>>> >>>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> >>> wrote: >>>> Maybe there is an opportunity to associate "High/Medium/Low" or >>>> "Strong/Medium/Low" based on page security score with the padlock. >>>> >>>> michael.mccormick@wellsfargo.com wrote: >>>>> Sure, I agree the padlock is a binary representation of a boolean >>>> security >>>>> score formula based on a single security variable (SSL on main page). >>> A >>>>> degenerate case IMHO - but still technically a page security score. >>>>> >>>>> A security score algorithm should take into account most (if not all) >>> of >>>> the >>>>> variables we enumerated under "What is a Secure Page?" Perhaps the >>> note >>>>> should state that explicitly. Then padlocks wouldn't qualify. >>>>> >>>>> _____ >>>>> >>>>> From: public-wsc-wg-request@w3.org >>> [mailto:public-wsc-wg-request@w3.org] >>>> On >>>>> Behalf Of Timothy Hahn >>>>> Sent: Thursday, January 10, 2008 10:40 AM >>>>> To: public-wsc-wg@w3.org >>>>> Subject: Re: Is the padlock a page security score? >>>>> >>>>> >>>>> >>>>> Mez, >>>>> >>>>> I'll toss in my view that the padlock is an example of a page >>> security >>>>> score. In most user agents, this seems to be pretty much "binary" >>> (on >>>> or >>>>> off) though I think we've heard from some folks that there are some >>>>> "embellishments" on their display of the icon which would provide >>> more >>>>> gradations based on information received. >>>>> >>>>> On the bright side of such a visible item - it is relatively easy to >>>>> describe and for people to grasp the meaning of. >>>>> >>>>> On the down side of the padlock - ... well, we've had lots of that >>>>> discussion on this list already - see the archives. >>>>> >>>>> Regards, >>>>> Tim Hahn >>>>> IBM Distinguished Engineer >>>>> >>>>> Internet: hahnt@us.ibm.com >>>>> Internal: Timothy Hahn/Durham/IBM@IBMUS >>>>> phone: 919.224.1565 tie-line: 8/687.1565 >>>>> fax: 919.224.2530 >>>>> >>>>> >>>>> >>>>> >>>>> From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> >>>>> >>>>> To: public-wsc-wg@w3.org >>>>> >>>>> Date: 01/10/2008 11:10 AM >>>>> >>>>> Subject: Is the padlock a page security score? >>>>> >>>>> _____ >>>>> >>>>> >>>>> >>>>> -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Thursday, 10 January 2008 19:58:00 UTC