[cabfpub] CABForum Teleconference Proposed Topic: Common Browser UI Security Indicators

Wed Jul 19 12:52:26 MST 2017

Curt, I’m also not convinced a working group is needed and really want to move this discussion to a more transparent and open forum with all stakeholders rather than having multiple side conversations on the topic.  The main thing we seem to being trying to solve is phishing and user impact.  UI is one approach but has many challenges such as different OSs, different browsers, different form factors (e.g. desktop, phone, IoT) different users from different cultures and different accessibility needs.  The number of variables is rather high and it seems the most comprehensive research I can find on the topic was published by Google and CASC.  Thanks, Mike

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Kirk Hall via Public
Sent: Monday, July 17, 2017 5:08 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [cabfpub] CABForum Teleconference Proposed Topic: Common Browser UI Security Indicators

To my knowledge, a common browser UI has not been discussed in the CAB Forum before (although as I recall, it was always expected that a new EV UI would be created by browsers during the years we were drafting the EV Guidelines in the Forum).

I would point out that the array of browser UIs today is so mixed up that no user can really understand what the UIs mean – see link.

https://casecurity.org/browser-ui-security-indicators/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcasecurity.org%2Fbrowser-ui-security-indicators%2F&data=02%7C01%7CMike.Reilly%40microsoft.com%7C1ad043b30dde458622c308d4cd710b29%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636359332784928846&sdata=Cz8zMsF73CQR9SrGfMySrl3rJYCQGh1wIQef7SdHn%2FU%3D&reserved=0>

Plus, these indicators are constantly changing with no apparent guiding theory, so even if you understand the UIs today, you will probably not understand them tomorrow.  And there has been no real user education for years.  For these reasons, a common UI across browsers (and some stability in design) would be very welcome.

From: cspann at apple.com<mailto:cspann at apple.com> [mailto:cspann at apple.com]
Sent: Monday, July 17, 2017 4:04 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Mike Reilly (WDG) <Mike.Reilly at microsoft.com<mailto:Mike.Reilly at microsoft.com>>; Nate Santiago <nasantia at microsoft.com<mailto:nasantia at microsoft.com>>
Subject: [EXTERNAL]Re: [cabfpub] CABForum Teleconference Proposed Topic: Common Browser UI Security Indicators

To clarify, I was requesting to discuss if common browser UI should be discussed at the CAB Forum and if it had been discussed in the past what was the outcome of those discussions. Currently we are not looking to participate in a browser UI working group.

Cheers,
Curt

On Jul 13, 2017, at 11:51 AM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

Sounds good.  Our next teleconference is a week from today, and I’ll schedule a block of time.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Mike Reilly (WDG) via Public
Sent: Thursday, July 13, 2017 11:16 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Nate Santiago <nasantia at microsoft.com<mailto:nasantia at microsoft.com>>
Subject: [EXTERNAL][cabfpub] CABForum Teleconference Proposed Topic: Common Browser UI Security Indicators

Hi Kirk.  Curt Spann (Apple) and I would like some time on the next CABF teleconference to talk about coordinating browser UI security indicators for TLS/SSL certs.  We have an interest in this area, and would like feedback from other browsers and CAs on the following:

  1.  Should browsers work toward a common browser UI security indicators related to certificates?
  2.  With the move to 100% encryption, what indicator should DV, OV, and EV sites receive?
  3.  Should we set up a new Browser UI Working Group within the Forum under the new governance structure to work on this topic?

Can we block out some time on the next call for this topic?  Thanks, Mike

Mike Reilly | Principal PM Lead, Risk Management & Crypto Ecosystem
Windows and Devices Group (WDG) InfoSec
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic&data=02%7C01%7CMike.Reilly%40microsoft.com%7C1ad043b30dde458622c308d4cd710b29%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636359332784938854&sdata=liiN8DYXBMcfqjantzcckQbQJmJjgtQJNmOno1cbsTE%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170719/e2f92412/attachment-0001.html>