- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Fri, 11 Jan 2008 10:03:38 -0500
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Mike Beltzner <beltzner" <beltzner@mozilla.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B5801D36F52@IMCSRV5.MITRE.ORG>
I was think that instead of a numeric score it would be simpler to point to a robustness or assurance level in terms of high, medium, low. One thing to keep in mind is that the capabilities of the protocols and underlying IA mechanism keep changing, going to be difficult to keep numeric score consistent. What happens to page score when a new TLS/SSL version comes out or new ciphers are added. Be easier to present a consistent UI if it is noted that site meets high assurance, medium assurance or low assurance. This would still alert the user that something has changed - 72 to 38 would be a change in assurance level. ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Friday, January 11, 2008 9:09 AM To: Mike Beltzner <beltzner Cc: public-wsc-wg@w3.org Subject: Re: Is the padlock a page security score? Great conversation, all the way around. I particularly appreciate those posts that, while taking a strong stance, also try to explore other points of view, how their stance relates to it, and what might be some sort of reasonable middle ground. Kudos to all of you! > Where the number *would* come in handy is when they're used to > seeing a "72" for their bank or online shopping site, but all of a > sudden they see a "38". It's the change in the security values that > become interesting. At that point, though, why would we require that > the user remember that theirshoppingsite.com is usually a 72, but > all of a sudden became a 36. Why would we not, instead, just alert > them to the fact that there's something suspicious, and they > shouldn't use the site at this time (with links to more detail for > those who wish to know what tipped us off). That would tie into the Change of Security Level (or CoSL as I started to call it in my review comments) in xit. As I think does some of the discussion of warnings on top of passive indicators (although as my review comments indicated, it was hard to find the part of CoSL where that was specified, and should be made clearer).
Received on Friday, 11 January 2008 15:03:53 UTC