ACTION-406: Petname burden from Ian Fette on 2008-03-26 (public-wsc-wg@w3.org from March 2008)

From: Ian Fette <ifette@google.com>
Date: Tue, 25 Mar 2008 22:45:25 -0700
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <bbeaa26f0803252245g687a30e3gc6cb02a646e5e3db@mail.gmail.com>

In ACTION-406, I said I would raise issues I had with burden of petnames:

Issue #1: Burden on UI. If a user wants to use petnames and have them
displayed, great. I'm not sure where exactly that should be displayed, but
if a vendor wants to add this feature and give it screen real-estate, then I
don't want to stop them. However, I don't think it's appropriate for us to
say SHOULD/MUST display petnames as a default configuration, as it's not
clear that it's worth the UI tradeoffs. But what users and vendors choose is
fine. I'm not sure I want to force UAs to implement petnames, but if they
want to do it and the user wants to use it, great.

Issue #2: Burden on user during non-petname interactions. If I'm bookmarking
a site, trying to use a form-filler, or doing anything else where petnames
are not my intent - I think it's fine if petnames are offered as an option,
but I don't think they should be required to be offered as an option (again,
UI issues) and I definitely don't think they should change the flow (e.g. if
1-click bookmarking is the flow, ala FX3, I don't want to require
introduction of a screen that would effectively change it to 2-click) unless
the user has opted in to that changed flow.

Issue #3: "Cognitive burden" as Rachna called it. How many things can people
really remember, and how well will they hold up? E.g. I have 4 pasmark
sitesecure images, one for each of my banks. If the wrong one showed up for
a particular bank (e.g. my BoA image showed up for Vanguard), I don't think
I'd notice. If, for my account at my brokerage (which I rarerly log into)
the wrong image showed, I don't think I'd notice at all. Specifically, I
wonder if a "reasonable" petname shows up (e.g. for Bank of America, if the
petname were simply "bank of america", if anyone would notice that's not
_their_ petname... although it may well be ;-) )

Issue #4: Burden on other features / common use cases. We're talking about
disabling form filling for general use cases. Maybe that's separate from
petnames in general and is more an issue with PII-bar, but the two seem
closely linked in the current spec.

Basically, these issues sum up to "I don't have a problem with people using
petnames, if people find them useful that's great. I personally have
reservations about how they would hold up under attack in a long-term study,
I'm not convinced of the value proposition, the cost-benefit analysis, etc,
and so I don't want to force them upon users or vendors. But if people want
to use them, I certainly don't want to stop them."

Received on Wednesday, 26 March 2008 05:46:01 UTC