15:28:30 RRSAgent has joined #ag 15:28:30 logging to http://www.w3.org/2017/06/15-ag-irc 15:28:32 RRSAgent, make logs public 15:28:32 Zakim has joined #ag 15:28:34 Chair: AWK 15:28:34 Zakim, this will be WAI_WCAG 15:28:34 ok, trackbot 15:28:35 Meeting: Accessibility Guidelines Working Group Teleconference 15:28:35 Date: 15 June 2017 15:28:41 +AWK 15:28:47 Zakim, who is on the phone? 15:28:48 Present: AWK 15:29:03 Present+ JF 15:29:09 zakim, agenda? 15:29:09 I see nothing on the agenda 15:29:16 present+ 15:29:43 agenda+ Accessible Authentication: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results 15:29:47 agenda+ TPAC 15:29:54 Detlev has joined #ag 15:30:27 agenda+ User interface Component Contrast: https://www.w3.org/2002/09/wbs/35422/Top3_18Apr2017/results#xlvt 15:30:49 marcjohlic has joined #ag 15:31:34 Rachael has joined #ag 15:31:35 present+ 15:31:41 present+ Rachael 15:31:43 ScottM has joined #ag 15:32:03 shawn has joined #ag 15:32:35 present+ Greg_Lowney 15:32:51 present+ Joshue108 15:32:51 gowerm has joined #ag 15:32:53 present+ Glenda 15:33:02 present+ MikeGower 15:33:16 steverep_ has joined #ag 15:33:26 present+steverep 15:33:41 Scribe:Mike_Gower 15:33:51 Zakim, take up item 2 15:33:51 agendum 2. "TPAC" taken up [from AWK] 15:33:55 +Laura 15:33:56 present+ Detlev 15:34:25 AWK sent email this morning that contains links to TPAC 15:34:48 present+ jasonjgw 15:35:11 present+ alastairc 15:35:31 Look into flights. Our days are Monday and Tuesday. Wednesday session is useful for newcomers. Thursday ACT and LV TFs meeting. 15:35:34 present+ 15:35:47 zakim, close item 2 15:35:47 agendum 2, TPAC, closed 15:35:48 I see 2 items remaining on the agenda; the next one is 15:35:48 1. Accessible Authentication: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results [from AWK] 15:35:51 Zakim, take up item 1 15:35:51 agendum 1. "Accessible Authentication: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results" taken up [from AWK] 15:36:07 JF_ has joined #ag 15:36:20 zakim, JF_ is JF 15:36:20 sorry, JF_, I do not recognize a party named 'JF_' 15:36:27 zakim, ping us in 25 minutes 15:36:27 ok, AWK 15:36:59 Q+ 15:37:12 Lisa: Two-step authentication is inaccessible. 15:37:20 q+ to ask if reducing security for people that might be more likely to be targets of bad actors is appropriate 15:38:08 LS: Sites can conform using w3c specification. 15:38:57 LS: A lot of sites won't confirm because the processes they use aren't accessible. They need to create an alternative 15:39:27 ack jf 15:39:32 https://www.w3.org/TR/webauthn/ 15:40:10 John Foliot: Concern raised in issue thread about 2-step authentication for banking organizations. This is a requirement. Not addressed 15:40:22 https://w3c.github.io/coga/issue-papers/privacy-security.html 15:40:49 JF: Difference between high-security authentication versus simple authentication. If addressed, it would mitigatte concerns 15:41:08 q+ 15:41:58 s/high-security authentication versus/high-security authentication (for medical/legal/financial transactions, e.g.) versus 15:42:05 LS: DIdn't know there was a mandate for two-step authentication. Need an exception for that. 15:42:46 q+ 15:43:05 LS: What's wrong with finger prints? 15:43:24 JF: There is a group that would not meet any specific biometric requirement. 15:43:59 s/mitigatte/mitigate 15:44:06 Email is one of the key services that should have two step authentication, reseting your password every time is not possible there. 15:44:08 JF: The language does not address these nuances. I agree with the need, but it is prescriptive as is. 15:44:41 LS: We can clarify in the write-up. All we're asking for is an alternative. 15:44:55 q- 15:45:11 kathy has joined #ag 15:45:45 ack jas 15:46:04 present+ Kathy 15:46:04 Jason: Has list of issues. Won't summarize now. All in survey. 15:46:25 shadi has joined #ag 15:46:36 alister they can be 2 set, there just al;so should be something e;se that we can use or at east that we can reset 15:46:52 q+ to ask about "recalling" and "copying" 15:47:10 Jason: Everyone agrees we need to move past password authentication. We need to maintain security. W3C is seeking to standardize APIs in this area. This is a problem of timing. When are all these accessible authentication mechanisms that offer high security going to be available? 15:47:29 present+ 15:47:41 q+ 15:47:56 Jason: comments about ambiguities and lack of clarity. Suggested changes. OVerall view is that security implications need to be very understood. 15:49:06 Jason: creating situations that would create vulnerabilities puts large numbers of people at risk. 15:49:11 ack gow 15:49:37 gowerm: wanted to raise that there are a lot of things raised in issues that are not addressed in this version 15:50:07 ... would like to see things like "minimal levels" addressed 15:50:31 ack AWK 15:50:31 AWK, you wanted to ask about "recalling" and "copying" 15:50:35 So if passwords and copying numbers are not used, what would the two factors be? 15:50:50 Mike Gower: Address all the issues flagged in the comments. 15:51:45 but is it as secure? 15:51:51 SMS is being phased out, it is too easy to take over someone's phone line. 15:52:01 AWK: The SC seems to cover a lot of ground. There is no exception for copying information. 15:52:18 LS: If you have an employee ID number, that might be fine. Or a social security number. 15:52:25 SMS not secure: https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/ 15:52:56 AWK: There's no expectation that anyone is going to remember their password? 15:53:15 LS: Correct.Many people just write it on a piece of paper. 15:54:20 Lisa: what would two valid methods be for two factor that any website can use? 15:54:20 Q+ to ask if we have consulted with the w3c security WG? 15:54:21 AWK: If sent to email, you're going to have to log in to your email. If sent to your phone, you may have to authenticate to your phone. 15:54:52 ack lisa 15:55:16 LS: Mike's point is a good one. Maybe we can have a minimum string length. She will get back to the group. 15:56:12 LS: To Jason's point, places with secure envrionments use smart cards. They've been around a long time. So there are technology solutions out there. 15:56:14 They are given the laptops by work, how does a random website do this for any person?? 15:56:39 q+ 15:56:44 LS: Our job is to say 'you have to use some of the solutions out there' 15:57:44 LS: Discussed with security people. SC wasn't written in a vacuum. 15:58:11 ack JF 15:58:11 JF_, you wanted to ask if we have consulted with the w3c security WG? 15:58:43 JF: I would like to see a review from the W3C security team. We need their input and guidance. 15:59:13 JF: Splitting into low risk and high risk seems like a good approach. 15:59:31 ack jason 16:00:39 Jason: The standardization is well-behind the actual technology. There's a timing issue to be looked at, as well as other issues in my comments. 16:01:27 AWK, you asked to be pinged at this time 16:01:56 LS: I'm not the SC manager. 16:02:14 there needs to be a common / possible method though! 16:02:45 RESOLUTION: Leave open 16:02:49 Zakim, next item 16:02:49 agendum 3. "User interface Component Contrast: https://www.w3.org/2002/09/wbs/35422/Top3_18Apr2017/results#xlvt" taken up [from AWK] 16:04:05 https://www.w3.org/2002/09/wbs/35422/Top3_18Apr2017/results 16:04:47 Alastair: Doesn't object to 3:1, but wants an editorial note saying this needs research to support. 16:05:01 +1 to adding an editorial note about considering 3:1 or keep 4.5 :1 16:06:03 Jason: Are there contrast requirements around the state of the control, not just the boundaries of the control? 16:07:10 Glenda: You need to be able to do more than just see the control. You also need to see state. Does it have focus? Is it unselected? That is an essential understanding of that control. 16:07:45 Jason: I read the proposal as not covering that. You need to be clearer. 16:08:17 Needs to be changed to simply: "Essential visual identifiers of user interface components have..." 16:08:27 Glenda: That is a really good point. 16:08:43 Kim has joined #ag 16:08:51 essential visual identifiers of a user interface component have a contrast ratio 16:09:14 +1 to adding or incorporating role and state, suggest also adding focus 16:09:22 Jason: Needs to be clear in a definition or glossary. 16:09:38 Glenda: Do we do it in the SC or the glossary term? 16:10:20 q+ to ask about the relationship to the "do not rely on color alone" SC 1.4.1 16:10:28 q+ 16:10:42 ack AWK 16:10:42 AWK, you wanted to ask about the relationship to the "do not rely on color alone" SC 1.4.1 16:11:12 AWK: What does the LVTF see as the connection between Use of Color and this SC? 16:12:25 q+ to answe Andrew's question 16:12:26 AWK: Need to address the difference and potential conflict between these. 16:12:52 Q+ to also confirm that this SC covers the use of "icons" (graphical indications that aren't text) - i.e. the light-gray "printer icon" 16:13:42 Glenda: Don't use color alone is valid AND you also have to have a certain level of contrast to be able to see it. 16:13:46 ack gower 16:13:51 Taking example of a highlighted tab, it would fail 1.4.1 if there was no semantic info behind it. It would fail contrast because people couldn't perceive it. 16:14:22 Gower: bringing in other things like selection and states makes it much more complicated 16:14:48 Mike Gower: Differences in state also have contrast requirements, not addressed in this SC 16:15:12 ack me 16:15:12 JF_, you wanted to also confirm that this SC covers the use of "icons" (graphical indications that aren't text) - i.e. the light-gray "printer icon" 16:16:03 Glenda: Correct. Imagine that a selection state of a buton is light gray, but the non-selected is white. Is the contrast difference between the two states unsufficient. 16:16:16 JF - I think that would be the general graphics contrast SC unless it's a link. Hmm, and if it is it might be under both! 16:16:23 ack steverep 16:16:24 steverep_, you wanted to answe Andrew's question 16:17:00 Steve: Agree that 1.4.1 use of color versus Contrast minimum has same relationship. 16:17:37 @alastair - ya... this is complex. There is both seeing the control in any state, and also seeing *which* state it is in 16:17:37 Steve: Bringing in talking about states is making it more complicated than it needs to get. It's just about seeing it. 16:17:58 q+ to say If we keep this, I like Steve’s (?) proposal of addressing visual indication of role and state, but add label (e.g. text or icon identifyiing the purpose of a button). 16:17:59 Or would checkboxes and radio buttons be covered by the "graphical objects" language? 16:18:07 ack Greg 16:18:07 Greg, you wanted to say If we keep this, I like Steve’s (?) proposal of addressing visual indication of role and state, but add label (e.g. text or icon identifyiing the purpose 16:18:10 ... of a button). 16:18:10 Steve: This isn't about recognizing differences in state. It is about seeing it in any state. 16:19:08 Role and State are not enough, as you need label (e.g. text on a button). 16:19:23 That's already part of the component 16:19:33 AWK: Text is already covered by another SC. 16:20:03 You believe that everything labeling/identifying a control is already covered, by which SC? 16:20:20 Apologies that my phone is misbehaving. 16:20:25 Glenda: Difference between Alastair's SC and mine is that the author created the object from scratch, whereas user interface component is eitehr created by the browser or monkeyed with using CSS. 16:21:05 AWK: So user agent default is exempted as long as author is not overriding. 16:21:07 s/eitehr/either 16:21:19 Note we've also filed bugs with all browsers 16:21:42 Glenda: Let's fix user agent contrast issues with UI components with the vendor. 16:22:38 q+ 16:22:41 shadi has joined #ag 16:22:43 I agree; I proposed the exception for presentation that's fixed by the UA (e.g. standard controls) for another SC, and it would apply equally here. We want a properly-designed, vanilla HTML form to conform by default. 16:23:20 shadi_ has joined #ag 16:24:31 I prefer "does not" rather than "cannot" be modified by the content, because the content cannot be programmed to account for bugs in every different UA. Otherwise we'd be forcing every page to use custom controls instead of standard ones, and that is obviously counter-productive. 16:24:37 We can say "are not OR cannot" but I think the existing language is enough 16:24:57 q+ 16:25:49 q+ to say it would be better to have browsers do it 16:26:17 ack gower 16:26:34 All essential visual identifiers that indicate that a user... 16:26:55 ack jason 16:27:06 +1 to "indicate" - I had added that to my comments as well 16:27:24 Also, the user is assumed to have the ability to choose their UA to one that is most accessible for their needs. 16:27:25 Jason: graphic contrast proposal needs to be looked at carefullly. Consider combining 16:27:34 essential visual identifiers of a user interface component have a contrast ratio 16:27:43 But this one applies to HTML elements, the other is for graphics. 16:27:54 Jason: Interactive versus non-interactive or whether made or stock don't really bear on contrast requirements 16:28:20 need to drop now 16:28:23 present+ 16:28:48 q? 16:29:05 ack steverep 16:29:05 steverep_, you wanted to say it would be better to have browsers do it 16:29:09 Glenda: I agree, but the time to combine isn't now. Intricate enough that they should be addressed separately. For clarity and accuracy keep separate to make sure not losing anything. Consider combining after making it through public review. 16:30:19 Steve: If we require authors to do it, they all do it differently. If require UAs, it is done uniformly. 16:30:27 AWK: Some risk the user agents will do nothing. 16:30:30 bye all 16:30:39 zakim, who is on the phone? 16:30:39 Present: AWK, JF, ChrisLoiselle, Detlev, Rachael, Greg_Lowney, Joshue108, Glenda, MikeGower, steverep, Laura, jasonjgw, alastairc, allanj, Kathy, shadi, lisa 16:30:46 trackbot, end meeting 16:30:46 Zakim, list attendees 16:30:46 As of this point the attendees have been AWK, JF, ChrisLoiselle, Detlev, Rachael, Greg_Lowney, Joshue108, Glenda, MikeGower, steverep, Laura, jasonjgw, alastairc, allanj, Kathy, 16:30:49 ... shadi, lisa 16:30:51 rrsagent, set logs p[ublic 16:30:54 RRSAgent, please draft minutes 16:30:55 I have made the request to generate http://www.w3.org/2017/06/15-ag-minutes.html trackbot 16:30:55 rrsagent, set logs public