Re: Is the padlock a page security score? from Anil Saldhana on 2008-01-11 (public-wsc-wg@w3.org from January 2008)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Fri, 11 Jan 2008 16:47:48 -0600
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <4787F214.3030900@redhat.com>

Additional virtual factor is the KBA. Rather than scout for a scanner or 
the retina or the mobile, the picture acts as the additional 
*incomplete* factor.

Ian Fette wrote:
> Which is still just a single factor (what you know)...
> 
> On Jan 11, 2008 2:26 PM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote:
> 
>> Many of the US banks are going towards multi-factor knowledge based
>> authentication, like displaying a favorite picture of yours and such.
>>
>>
>> Mike Beltzner wrote:
>>> michael.mccormick@wellsfargo.com wrote:
>>>> There seems to still be some lingering misunderstanding about the
>>>> security score.  It does not specify how the score should be presented
>>>> in primary chrome.  The UA is free to render it as anything from a
>>>> padlock to a color-coded address bar to a traffic light to whatever.
>>>> The raw score is not displayed in the primary UI.
>>> The disagreement is in that I don't believe a single "score" will ever
>>> hold value. A recommendation or advice based on a score, is what I would
>>> suggest we advocate in our document.
>>>
>>> The user who needs a recommendation for action (ie: "Is this page
>>> safe?") won't benefit from a score ("72% safe!"), as it won't hold any
>>> specific meaning to them.
>>>
>>> The user who wants to know more about why a specific recommendation has
>>> been given (ie: "Why are you saying that this page is suspicious, it
>>> looks like my bank!") won't benefit from a score ("because it's onlye
>>> 72% safe!") because they need more detail.
>>>
>>> Both of these users are served by a system where security risks are
>>> called out by the browser ("Note: This page is suspicious!
>>> (Details...)") and then further explanation is given (the certificate
>>> changed, it's not high on the network of trust, etc).
>>>
>>> cheers,
>>> mike
-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/

Received on Friday, 11 January 2008 22:48:10 UTC