- From: Timothy Hahn <hahnt@us.ibm.com>
- Date: Wed, 19 Mar 2008 14:05:21 -0400
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
- Message-ID: <OF31DC36CC.47B9CBCC-ON85257411.0061DB7E-85257411.00635E29@us.ibm.com>
Tyler,
I have to agree with you that it seems like it would be much easier for
people to remember something they chose rather than something that was
chosen for them and written in a "language" (if you could call it that)
which only weird folks like us sometimes understand.
Where I keep struggling with this though is in the reliance on the user to
choose a mnemonic. Looking at it from the point of view of a
non-technical person (or so I believe): Should they choose one that is
unique for each site they visit? After 20 or so mnemonics, they would
probably run out of clever names. They would probably start re-using
names. Is there any harm in this? Or could they use the same mnemonic
for everything? (after all, this would be easy for them to remember).
What is the potential harm in doing so?
I am sure that you have some good answers to these questions. Hopefully
the rest of the list will find the answers as useful as I will.
Regards,
Tim Hahn
IBM Distinguished Engineer
Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565 tie-line: 8/687.1565
fax: 919.224.2530
From:
"Close, Tyler J." <tyler.close@hp.com>
To:
Rachna Dhamija <rachna.w3c@gmail.com>, Stephen Farrell
<stephen.farrell@cs.tcd.ie>
Cc:
Thomas Roessler <tlr@w3.org>, Mary Ellen Zurko/Westford/IBM@Iris,
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Date:
03/19/2008 11:58 AM
Subject:
RE: petname implementation recommendation proposal
Rachna Dhamija wrote:
> By what measure?
I think if we make any reasonable effort to quantify the user effort
involved in correctly distinguishing a known site from an imposter using
the hostname display versus the petname display, we will find an advantage
for the petname display.
On each repeated visit:
For the hostname display, the user must remember the exact hostname used
by the known site and perform an exact character-for-character match
against the string presented by the hostname display.
For the petname display, the user must check that the petname display is
enabled and displaying a petname that looks like one they would have
assigned to the known site. If the petname looks more or less right, it is
exactly right.
On initial visit:
For the hostname display, the user must study the hostname display and
commit to memory the exact string being displayed.
For the petname display, the user must type in a short mnemonic of their
own choosing.
For multi-hostname sites:
For the hostname display, no indication is provided that a newly
encountered hostname has any relationship with a previously known one.
For the petname display, when the site's certificate creates a binding
between hostnames, the petname assigned to the previously encountered
hostname is displayed.
What's hard:
I believe the following are hard tasks for users:
- exactly remembering a string chosen by someone else
- correctly performing a character-for-character match of a
presented string against a remembered string
- correctly searching for information that is not presented
I believe the following are feasible tasks for users:
- approximately recognizing a presented string as one chosen in
the past
Conclusion:
The petname display substitutes feasible user skills where the hostname
display requires infeasible ones.
Again, I'm not saying the petname tool is perfect as is, but it's better
and moving in the right direction and I think I know what the next steps
are.
--Tyler
Received on Wednesday, 19 March 2008 18:06:03 UTC