RE: Is the padlock a page security score?

Dan:

That is great and NIST has some good open test cases as well that can be
shared. Perhaps if we consider content and application as any good mark
will do, then we should consider OS. I am only concerned regarding one
thing. Every study I have read says that people have no idea what the
padlock means exactly even if they see it, so why replace this with
another icon that all studies show would most likely be misrepresented.
HiSoftware has been tentative at this point because it is at best
incomplete I have missed the fact that most people don't know what it
means if they look at it (According to what I read on this working group
pages). 

Cheers,
rob

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Dan Schutzer
Sent: Monday, January 14, 2008 9:30 AM
To: Robert Yonaitis; 'Mike Beltzner'
Cc: 'michael mccormick'; hahnt@us.ibm.com; public-wsc-wg@w3.org; 'Ian
Fette'
Subject: RE: Is the padlock a page security score?


The web page application should ultimately be included in the score.
This
means that two web applications using the same web protocols may not be
equally secure. I am planning to write a short paragraph to explain one
way
this can be implemented.

Dan

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On
Behalf Of Robert Yonaitis
Sent: Friday, January 11, 2008 9:32 AM
To: Mike Beltzner; Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: RE: Is the padlock a page security score?

Hello All:

One last note on the scores. I think this is important. Since we have
neglected by design to cover the content or applications then the
weather
analogy does not work. This is because the weather takes into account
many
items like atmospheric soundings, dew points, trends, pressures and
more.
(Disclaimer: I received a C in my advanced meteorology course at
erau.edu)
Since we are by design ignoring the place where most security flaws can
and
do happen the application  and or content then clearly our score would
be
meaningless.

Cheers

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On
Behalf Of Mike Beltzner
Sent: Thursday, January 10, 2008 11:33 PM
To: Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: Re: Is the padlock a page security score?


----- "Dan Schutzer" <dan.schutzer@fstc.org> wrote:
> I am not sure. If there were scores and competing services so that I
> had a choice then security might actually improve. Suppose I had two
> competing social networks with vastly different security scores; for
> example, One with a 70 and one with a 90 security score - I just might
> not use the service with the 70 security score. Perhaps if we had
> reliable scores and people started picking one service over another
> based upon the scores, we might get services that are more serious
> about security.

I don't think that's where the problem exists, though. It's not the case
that people are trying to choose between which of N different social
networking sites they want to work with (they'll go to the ones that
their
friends are using).

Where the number *would* come in handy is when they're used to seeing a
"72"
for their bank or online shopping site, but all of a sudden they see a
"38".
It's the change in the security values that become interesting. At that
point, though, why would we require that the user remember that
theirshoppingsite.com is usually a 72, but all of a sudden became a 36.
Why
would we not, instead, just alert them to the fact that there's
something
suspicious, and they shouldn't use the site at this time (with links to
more
detail for those who wish to know what tipped us off).

Again I say: the message needs to be meaningful and actionable. A
summary
statistic isn't thus.

(Earlier we talked about 70% chance of rain, and I applauded it as an
interesting analogy. I realize, actually, that the liklihood of rain
isn't
the same as a summary statistic for security, as rain is one aspect of
the
weather. A more appropriate analogy would be if weather reports told us
that
tomorrow would be "72% nice".)

cheers,
mike







The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  Thank you.

Received on Monday, 14 January 2008 14:44:06 UTC