Change score calculation formula

[KOLANICH]

Calculate score not as a sum of scores of the components, but as the score of the worst component. If the security features are not present, crop the maximum score.

[sibiantony]

I think both the approaches would end up more or less the same.

as the score of the worst component

There can be multiple components that could be worse (for eg: bad ciphersuite and a weak certificate). Agree that summing up everything may not be right approach to assess the security.

The current way of calculating the score is done in a way that the user can change the default 'weights' for each component and customize the ratings.

[KOLANICH]

Maybe we should use the following approach. We have some components of the system, for each of them knowing their weaknesses it is possible to evaluate amount of time needed to break them. In this way we can compare primitives with each others. Let assume that breaking one component means the complete breaking of the the system, that's why we can assume that rational attacker will target the weakest component and invest all his moneyi in it to break it as faster as possible, so the score is determined by the weakest component.

Then we need to decide, which time is more than user's information TTL (we can allow the user set this parameter, the default one is the one of the cyphersuite which is thought to be secure), and using this value we can calculate ciphersuite security. Also

[bickelj]

I had a similar thought to KOLANICH, maybe the three "components" would be: confidentiality, integrity, and authenticity. The problem is in the details of how to: 1) scale those ideas 2) transform the data onto those scales 3) compare each scale Yuck.

Therefore the currently implemented approach seems good for now.