RE: PIIEditorBar

Hi Mez,
 
In this email I only address the idea of pulling out the petname/history
part of the PII bar proposal.
 
In general, I prefer to break down systems into distinct components that
can be adopted and used in isolation from other components. I'm hesitant
to do that in this case because the usability of the petname tool is
much enhanced by it's integration into the PII editor bar. By itself,
the petname tool suffers from the problem of being a chrome indicator,
away from the main browsing activity, and also requires some mechanism
to prevent picture-in-picture attacks. The PII bar without the petname
tool is also vulnerable to certain attacks. Together, I think they
provide a strong defense against all of our in-scope attacks. I'm
worried that if I separate them, each will fail on its own in usability
testing and so leave potential adopters with the impression that there
is no solution here. To have a chance at good usability testing results,
I think I need to keep the two components paired.
 
Tyler


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Friday, June 08, 2007 6:04 AM
	To: Close, Tyler J.
	Cc: public-wsc-wg@w3.org
	Subject: PIIEditorBar
	
	

	"The core conceptual change is augmenting the form filler with a
record of what web site a stored text string was given to and providing
the user with ready access to this record during a data entry task. "
	One potential issue with this proposal is the security of
storing PII. At some point that should be addressed. For example, in the
cannonical security issues section, there might be short discussion on
techniques used by password storage/management features and extensions
to protect passwords in web user agents. 
	
	When this is fully rephrased in conformance language, I'd like
to see the petname/history part pulled out as one good practice
(representing to users when they've been somewhere before). 
	
	"For robustness against spoofing, the PII bar should be
displayed using a theme customized to the user. "
	There's a more general recommendation hiding here too, which I
hope is pulled out when it's rephrased for conformance. 
	
	"To encourage such treatment, the interface is designed such
that it is easier to provide information to a web site using the PII bar
than it is for the user to enter information into a web page directly.
When using the PII bar, the user need not remember the exact sequence of
characters in a PII string, nor type them in; rather, the string is
selected from a menu."
	The scenarios you haven't dealt with, that may raise issues, are
when change happens to the validity of the PII strings. When the credit
card number changes. Or expiration date. When the password has changed
(I hit a lot of these every few months because of how my employer
manages passwords). The stored password is no longer valid (right; it's
been changed; must update it here too.) 
	
	          Mez
	
	Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l
333-6389)
	Lotus/WPLC Security Strategy and Patent Innovation Architect
	
	
	
	
"Close, Tyler J." <tyler.close@hp.com> 
Sent by: public-wsc-wg-request@w3.org 

05/21/2007 07:15 PM

To
<public-wsc-wg@w3.org> 
cc
Subject
RE: Editing process for Recommendations

	




	Hi Mez,
	 
	I'm also going to add my PII Editor bar proposal to our draft
recommendations. See:
	 
	
http://www.w3.org/2006/WSC/wiki/PersonallyIdentifiableInformationEditorB
ar
<http://www.w3.org/2006/WSC/wiki/PersonallyIdentifiableInformationEditor
Bar> 
	 
	Shawn and I spoke last week about splitting up editing tasks.
I'm taking care of finishing up the Note and he's going to get started
on the recommendations. I think he's going to setup a skeleton draft and
move the display recommendations from the wiki into the draft. I'll then
add my PII Editor bar content. I'm hoping all this gets done this week,
so that everyone can print a copy to take on the airplane with them.
	 
	Tyler
	
	
________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Monday, May 21, 2007 12:41 PM
	To: Close, Tyler J.
	Cc: sduffy@aol.net; public-wsc-wg@w3.org
	Subject: Re: Editing process for Recommendations
	
	
	We're past May 18th. How are we doing? It seems we have three
proposals that have been put in template format. Will those be forming
the basis of our first public working draft recommendations? 
	
	         Mez
	
	Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l
333-6389)
	Lotus/WPLC Security Strategy and Patent Innovation Architect
	
	
	
"Close, Tyler J." <tyler.close@hp.com> 
Sent by: public-wsc-wg-request@w3.org 

04/27/2007 06:40 PM



To
<public-wsc-wg@w3.org> 
cc
Subject
Editing process for Recommendations


	


	
	
	
	
	The calendar will soon turn to May and so if we're to do
anything other
	than drink Guinness while in Dublin for the next F2F, we will
need some
	draft recommendations.
	
	I think each draft recommendation should be written up by the
primary WG
	members who will be developing the proposal. This division of
labor
	ensures each proposal is described by those most knowledgeable
about it,
	and that we've got a champion for each proposal who will help
drive the
	testing and implementation work that must be done.
	
	To get some consistency among the proposal descriptions, I think
we
	should develop a template. The template would specify some
required
	sections for each proposal. For example, we could require a
section that
	enumerates the use-cases addressed by the proposal, or the
security
	information items relied upon, or the usability principles that
are
	leveraged, etc. We should develop this template over the course
of the
	next week.
	
	I'd need to get finished text for each of the proposals by May
18th. By
	finished text, I mean the exact text that should appear in the
	recommendation document, but not necessarily in the W3C XML
format. For
	those unfamiliar with this XML language, I could go through and
add the
	syntax for the sections, paragraphs and lists. Look at our Note
to see
	the available structural elements. Shawn and I could then merge
these
	proposals into a document by the 23rd so that we all have a week
to read
	and think about the proposals before meeting in Dublin.
	
	Tyler 
	
	
	
	
	

Received on Wednesday, 13 June 2007 17:43:19 UTC