- From: Ian Fette <ifette@google.com>
- Date: Thu, 24 Jan 2008 09:27:10 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: hahnt@us.ibm.com, public-wsc-wg@w3.org
"nobody wins" includes the users and people who actually have to adopt this spec :( On Jan 24, 2008 9:04 AM, <michael.mccormick@wellsfargo.com> wrote: > > > I predict many users are going to find this type of indicator quite useful. > Certainly more helpful than today's misleading padlocks & colored address > bars. If it was up to me or Tim the language would say MUST. Ian wants > MAY. Splitting the difference and going with SHOULD seems like a way to > split the difference. Compromise means nobody wins. ;-) > > ________________________________ > > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On > Behalf Of Ian Fette > Sent: Thursday, January 24, 2008 12:27 AM > To: Timothy Hahn > > Cc: public-wsc-wg@w3.org > > Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page Security > Score > > > > By saying that a user agent MAY elect not to display the indicator, but that > it SHOULD display the indicator, we're saying we think it's useful, but if > one wants to ignore that go ahead. I don't think that I'm yet willing to go > along and say that I think it's useful. > > I really want to know what a person is supposed to do when they see this > indicator. If they see 3/4 bars, what do they do? If they see a meter that's > somewhere towards the right, what do they do? God forbid they see a "78" and > have to figure that out. None of these representations seem like a good idea > to me, and until we can come up with an indicator that is actually going to > inform user action, I really don't think we be saying SHOULD about any of > this, with the possible exception of noticing a change. > > Let's say that I go to my company's webmail, and it has 2/4 bars. I'm still > going to log in. Let's say I go to a e-commerce site and it has 3/4 bars. > What does that mean? Is it safe or not? (and I seriously doubt that anyone > is going to take on the liability of an indicator that answers that question > in a binary fashion, which is the only way this might be useful, if we > actually had the data to make that decision which we do not). > > This still seems way too strong to me. > > > On Jan 23, 2008 6:46 PM, Timothy Hahn <hahnt@us.ibm.com> wrote: > > > > > Ian, > > > > In addition to the level of indirection I referred to below, I also added > this clause: > > > > > > > > The user agent MAY elect to display a visual indicator in primary > chrome > > > > only when a change in "security confidence estimate" values is > observed. > > > > > > > > I added this upon reflection of your and Jonathan's comments on the 16 > January call where you seemed to desire to not always show a visual > indicator. > > > > I still believe that some type of meter that has more than 0/1 gradations > is better than a meter that is binary and also better than no meter at all. > > > > > > Regards, > > Tim Hahn > > IBM Distinguished Engineer > > > > Internet: hahnt@us.ibm.com > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > phone: 919.224.1565 tie-line: 8/687.1565 > > fax: 919.224.2530 > > > > > > > > > > From: > > "Ian Fette" <ifette@google.com> > > To: > > Timothy Hahn/Durham/IBM@IBMUS > > Cc: > > public-wsc-wg@w3.org > > Date: 01/23/2008 05:24 PM > > > > > > > > Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page Security > Score > > > > > > > > ________________________________ > > > > > > > I think that what I was saying on the call, and I heard the same from > > at least Johnathan, was that it's unclear what it means even if you > > have a dial, or "3 bars out of 4". At the end, it doesn't help me > > decide whether to proceed or not. The indirection didn't solve this > > problem. > > > > On Jan 23, 2008 2:13 PM, Timothy Hahn <hahnt@us.ibm.com> wrote: > > > > > > Ian, > > > > > > Thanks for the feedback. > > > > > > I tried to express a level of indirection between what is displayed (I > > > referred to this as a "visual indicator") and the value itself (which I > > > referred to as the "value"). This indirection was meant to allow for a > > > difference between what is displayed and the "raw score" value itself. > > > > > > I welcome suggestions on making this more clear in the write-up. > > > > > > Relative to your desire for MAY vs. SHOULD - given the different > opinions of > > > the people that have been discussing this, I made the bold decision that > > > SHOULD seemed appropriate. > > > > > > > > > Regards, > > > Tim Hahn > > > IBM Distinguished Engineer > > > > > > Internet: hahnt@us.ibm.com > > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > > phone: 919.224.1565 tie-line: 8/687.1565 > > > fax: 919.224.2530 > > > > > > > > > > > > > > > From: "Ian Fette" <ifette@google.com> > > > To: > > > Timothy Hahn/Durham/IBM@IBMUS > > > Cc: > > > public-wsc-wg@w3.org > > > Date: 01/23/2008 04:55 PM > > > > > > Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page > Security > > > Score > > > > > > > > > ________________________________ > > > > > > > > > > > > I'm still unclear on the following two points: > > > > > > The user agent SHOULD provide a visual indicator in primary chrome > > > which varies relative to the "security confidence estimate" value. > > > Examples of such visual indicators (non-normative) are gauges, > > > thermometers, a selection of several textual descriptions, and > > > color-gradations. > > > > > > The visual indicator SHOULD be especially conspicuous in display when > > > the "security confidence estimate" value is different than the value > > > which was observed for the loaded page in previous visits to the > > > loaded page. > > > > > > It sounds to me like there was a lot of agreement on the call that > > > changes in this score might be informative. I don't think there was > > > any agreement that the raw score itself was informative. I don't > > > understand why we're saying that the score SHOULD be indicated in > > > primary chrome, nor do I understand why it makes sense to show it if > > > the score has changed (i.e. "Hey, this was 78 and now it's 68" - > > > "Great, what does that mean"). I think it may make sense (MAY) to call > > > out what changed, but calling out the score (either normally, or even > > > when it changes) still makes no sense to me. > > > > > > I would love to see these SHOULD -> MAY > > > > > > -Ian > > > > > > On Jan 23, 2008 10:41 AM, Timothy Hahn <hahnt@us.ibm.com> wrote: > > > > > > > > To Mez: > > > > > > > > I agree with your proposal and will make that be so in the draft. > > > > > > > > To Mike: > > > > > > > > While I, myself, would prefer stronger language, I worded the updates > per > > > > the discussion from the group (during the weekly conference call as > well > > > as > > > > on the mailing list). > > > > > > > > Regards, > > > > > > > > Tim Hahn > > > > IBM Distinguished Engineer > > > > > > > > Internet: hahnt@us.ibm.com > > > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > > > phone: 919.224.1565 tie-line: 8/687.1565 > > > > fax: 919.224.2530 > > > > > > > > > > > > > > > > > > > > From: Mary Ellen Zurko/Westford/IBM@IRIS > > > > To: > > > > Timothy Hahn/Durham/IBM@IBMUS > > > > Cc: > > > > public-wsc-wg@w3.org > > > > Date: 01/23/2008 01:29 PM > > > > Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page > > > Security > > > > Score > > > > ________________________________ > > > > > > > > > > > > > > > > I propose that you also change the title of the section to "Security > > > > Confidence Estimate" > > > > > > > > Mez > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: > > > > Timothy Hahn/Durham/IBM@IBMUS > > > > To: > > > > public-wsc-wg@w3.org > > > > Date: > > > > 01/23/2008 11:29 AM > > > > Subject: ACTION-374 - proposed re-written text for 6.3, Page > Security > > > Score > > > > ________________________________ > > > > > > > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > From last week's meeting (16 January 2008) I took an action to > propose > > > > re-written text for the "Page Security Score" section. > > > > > > > > From the latest wsc-xit draft, the current text reads: > > > > > > > > --- Start --- > > > > 6.3 Page Security Score > > > > > > > > See also: ISSUE-129 > > > > > > > > Please refer to the following entries in the Working Group's Wiki for > > > > relevant background information: > RecommendationDisplayProposals/PageScore > > > > > > > > The user agent MUST reduce the state of all security context > information > > > > made available to a single value. A partial order MUST be defined on > the > > > set > > > > of possible values. > > > > > > > > The user agent MUST make the security context information value > available > > > to > > > > the end user, in either primary or secondary chrome. > > > > > > > > The user agent MUST make the formula by which the value is calculated > > > > available to the end user. Documentation of the user agent is the > > > likeliest > > > > place. > > > > > > > > The form of the indicator of this value will depend on the user agent > and > > > > end user abilities. The user agent SHOULD provide a a primary chrome > > > > indicator > > > > > > > > --- End --- > > > > > > > > Here is my proposed re-written text: > > > > > > > > --- Start --- > > > > 6.3 Page Security Score > > > > > > > > See also: ISSUE-129 > > > > > > > > Please refer to the following entries in the Working Group's Wiki for > > > > relevant background information: > RecommendationDisplayProposals/PageScore > > > > > > > > The user agent SHOULD provide a means of reducing the collection of > > > security > > > > context information which is available for any loaded page to a > numeric > > > > value (termed a "security confidence estimate"). > > > > > > > > The calculation algorithm for the "security confidence estimate" MAY > be > > > made > > > > selectable by the end user or offered by separately installed user > agent > > > > plug-ins. > > > > > > > > The user agent SHOULD provide a visual indicator in primary chrome > which > > > > varies relative to the "security confidence estimate" value. > Examples of > > > > such visual indicators (non-normative) are gauges, thermometers, a > > > selection > > > > of several textual descriptions, and color-gradations. > > > > > > > > The visual indicator SHOULD be especially conspicuous in display when > the > > > > "security confidence estimate" value is different than the value > which > > > was > > > > observed for the loaded page in previous visits to the loaded page. > > > > > > > > The user agent MAY elect to display a visual indicator in primary > chrome > > > > only when a change in "security confidence estimate" values is > observed. > > > > > > > > The user agent MUST make the details of all available security > context > > > > information available to the end user, in either primary or secondary > > > > chrome. > > > > > > > > If a "security confidence estimate" is provided, the provider of the > > > > implementation MUST make the calculation algorithm by which the > "security > > > > confidence estimate" value is calculated available to the end user. > > > > Documentation for the user agent or plug-in which is employed is the > > > > likeliest place. > > > > > > > > The visual realization of the "security confidence estimate" value > will > > > > depend on the user agent and end user abilities. > > > > > > > > --- End --- > > > > > > > > > > > > Tim Hahn > > > > IBM Distinguished Engineer > > > > > > > > Internet: hahnt@us.ibm.com > > > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > > > phone: 919.224.1565 tie-line: 8/687.1565 > > > > fax: 919.224.2530 > > > > > > > > [attachment "smime.p7s" deleted by Mary Ellen Zurko/Westford/IBM] > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
Received on Thursday, 24 January 2008 17:27:25 UTC