Re: ISSUE-198 (Be the user's agent and do their bidding): 6.4.4 Danger messages should not strictly forbid user agents from doing the user's bidding [wsc-xit] from Mary Ellen Zurko on 2008-05-14 (public-wsc-wg@w3.org from May 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 14 May 2008 00:31:02 -0400
To: ifette@google.com
Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <OF42605156.44EE19E9-ON85257449.0018BD88-85257449.0018CFC5@LocalDomain>

I am comforted by the fact that serge's email agrees exactly with what I 
remember we agreed to. 

          Mez





From:
"Ian Fette" <ifette@google.com>
To:
"Serge Egelman" <egelman@cs.cmu.edu>
Cc:
"Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Date:
05/13/2008 03:51 PM
Subject:
Re: ISSUE-198 (Be the user's agent and do their bidding): 6.4.4 Danger 
messages should not strictly forbid user agents from doing the user's 
bidding [wsc-xit]



We settled this in the f2f today. We basically ended up saying that the 
user interaction to dismiss the danger dialog/interstitial should be 
different than the one for dismissing warning. I don't have the exact 
text, but the intent was to say that it's more sever and should not have 
the same interaction to dismiss. User agents MAY decide not to offer a 
click through, but that's left to the UA to decide.

-Ian

On Tue, May 13, 2008 at 8:55 AM, Serge Egelman <egelman@cs.cmu.edu> wrote:

I would agree with this change.  However, the difference should be that 
the DANGER message appears to be much more severe.  Maybe also make it 
harder to override, but not impossible (e.g. clicking an option in 
preferences).

serge


Web Security Context Working Group Issue Tracker wrote:

ISSUE-198 (Be the user's agent and do their bidding): 6.4.4 Danger 
messages should not strictly forbid user agents from doing the user's 
bidding [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Ian Fette
On product: wsc-xit

Section 6.4.4 danger messages says "These interactions MUST be presented 
in a way that makes it impossible for the user go to or interact with the 
destination web site that caused the danger situation to occur." This is 
unacceptable, as the user agent is precisely that - the user's agent. The 
browser should never prevent the user from reaching the page that they 
wish. It can warn users, but should always offer a way to proceed, even if 
this includes some very longish set of steps to do so. At the end of the 
day though, the user must be able to proceed.

My suggested change: Change that text to say "These interactions MUST be 
presented in a way that makes it impossible for the user go to or interact 
with the destination web site that caused the danger situation to occur, 
without first explicitly interacting with the Danger Message."

I'm really having trouble reasoning if there should be a difference 
between DANGER and WARNING at all. Perhaps the only difference is that the 
text is harsher in DANGER messages?





-- 
--
/*
PhD Candidate
Carnegie Mellon University

"Whoever said there's no such thing as a free lunch was never a grad 
student."

All views contained in this message, either expressed or implied, are the 
views of my employer, and not my own.
*/

Received on Wednesday, 14 May 2008 04:48:18 UTC