Pat is accessing a web application inside her enterprise, using a secure (confidentiality, server authentication, replay protection) protocol (SSL/TLS). Her web user agent (a browser) recognizes an elevated risk state (the validity time period on the server's certificate is in the future). Pat has received training that makes her cautious about any problems that seem to be security related (her corporation has explicit legal requirements around the protection of the customer data she processes). Pat calls her help desk to report the error and get guidance. The help desk walks her through some steps to get more data about the problem, before giving her guidance on next steps. These steps include taking an action (menu, button press) to get detailed information that is meaningless to her, but useful to the person debugging the situation on the phone.


In every case where display of security context information abstracts the information, or displays an analogy of the information, or otherwise removes geeky, meaningless details (to the benefit of the user), there will be use cases where that detail is needed to relate or otherwise log to allow a more advanced user to diagnose a problem. In addition, reviewers, customers, and pundits all like to have specific, well defined security context information available to them. All information possible should be available to the user through an action they can easily take when explicitly told what to do, in a form they can relate to another human being (directly or indirectly through technology)