- From: Luis Barriga <luis.barriga@ericsson.com>
- Date: Tue, 20 Nov 2007 23:07:20 +0100
- To: <public-wsc-wg@w3.org>
- Cc: "Ian Fette" <ifette@google.com>, <michael.mccormick@wellsfargo.com>
Look-and-feel has often been a distinguishing factor for brands offering UI-based user services. That mindset is good for competitive reasons, but what we are saying is that such a mindset should not extend to a baseline of security indicators that we are recommending. Is there a minimal set (baseline) of recommendations that we agree MUST be supported? Luis > -----Original Message----- > From: Ian Fette [mailto:ifette@google.com] > > Sent: Tuesday, November 20, 2007 11:21 AM > To: McCormick, Mike > Cc: public-wsc-wg@w3.org > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations > [All] > > I understand the intent of "realistically feasible", but it sounds > like we now are giving ourselves waaay too much wiggle room. For > instance, we might think something "realistically feasible", but the > browser vendors have a much better idea of their own market and its > willingness to put up with our machinations. Thus, what seems feasible > to us might seem totally ludicrous to them. > > Buy-in acts also as a forcing function - it forces us to open up a > dialog, which frankly is lacking right now (not necessarily due to the > fault of our group, but I really think that we do at least need to > have some sort of discussion with the folks at MS and Apple, > regardless on whether they join the WG or not, to at least get a > reality check from > them.) I think this forcing function would be a very good motivator. > I'm not trying to say that the spec is contingent upon MS approval or > anything of the sort, nor do I lose sleep over whether MSFT will join > WSC. I just really want that dialog to happen, "officially" or > unofficially, I just think it's unhealthy the way things are moving > forward. > > @Mike: > "The WHATWG is a growing community of people interested in evolving > the Web. It focuses primarily on the development of HTML and APIs > needed for Web applications. > > The WHATWG was founded by individuals of Apple, the Mozilla > Foundation, and Opera Software in 2004, after a W3C workshop. Apple, > Mozilla and Opera were becoming increasingly concerned about the W3C's > direction with XHTML, lack of interest in HTML and apparent disregard > for the needs of real-world authors. So, in response, these > organisations set out with a mission to address these concerns and the > Web Hypertext Application Technology Working Group was born. " (From > WHATWG FAQ) > > WHATWG basically took over the spec for HTML5, because people believed > W3C was just out of it. Unlike W3C, there was no cost to participate, > and the mailing lists have been much more active than the W3C lists... > since then WHATWG and the W3C are now "working on the same > specification", which is a very strange arrangement and not entirely > clear what it means. > > If you want more information beyond that, I don't really trust myself > to be an accurate and unbiased source on the matter. I would point you > to @tlr, but I have no idea if he wants to go down this particular rathole. > Perhaps offline, or on the member list, you might have better luck. > > > > On Nov 20, 2007 8:03 AM, <michael.mccormick@wellsfargo.com> wrote: > > > > > > Hi Ian, > > > > Thanks for sharing this. I'm new to W3C so knowing this history > > helps > > > me understand where you guys were coming from with Criteria 2. > > (What's > > WHATWG?) > > > > According to the SuccessBaseline page, C2 currently reads: > > > > 2. There is buy in and uptake of the recommendation by browsers, web > > application developers, web site administrators, and users > > > > My suggested rewording: > > > > 2. Adoption and implementation of the recommendation by browsers, > > web application developers, web site administrators, and users is > > realistically feasible > > > > I think this preserves the original intent of C2 (as I understand > > it) while subtly shifting the emphasis from "buy in" to "feasibility". > > > > Mike > > > > ________________________________ > > From: Ian Fette [mailto:ifette@google.com] > > Sent: Monday, November 19, 2007 6:06 PM > > > > > > To: McCormick, Mike > > Cc: johnath@mozilla.com; public-wsc-wg@w3.org > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations > > [All] > > > > > > > > Not sure if I really want to say this on the record or not, but here > > goes. I have seen a lot of things where W3C has gone off the deep end. > > > Without getting into specifics, there's a reason that WHATWG was > > started. Current politics of WHATWG / HTML5 / XHTML5 / whatever > > aside, > > > W3C was more or less going in a direction that browsers were not > > going > > > to follow, and it led to very bad things. The web hasn't been > > standards-compliant for a long time, and that is not a good thing. I > > would love to see more content conform to one of the HTML/XHTML/etc > > standards, and I would love to see browsers doing the same. However, > > for that to ever happen, the standards need to remain realistic and > > relevant. If we start going off doing what we think would be "cool", > > or even just "the right way" while ignoring realities, we risk going > down the same path that led to the WHATWG formation and subsequent > politics. > > > > I agree that W3C should strive for impartiality, but at the same > > time impartiality should not imply losing our grip on reality. (I > > realize that's not what you're saying, I'm just saying that is what > > can happen > > > if we're not > > careful.) As to "criteria 2" and automatic disqualification - I > > agree that we don't want it to appear that we're in collusion and > > giving people a free pass. However, my concern is that if we feel > > we're writing a spec that won't be adopted, what's the point? Great, > > we're recommending "the right thing", but if no-one takes us up and > > commits to that recommendation, what's the point? If I felt that we > > were going > > > to put out a recommendation that stood no chance of adoption, I'd > > quit > the working group tomorrow. > > > > I don't think that Criteria 2 is intended as "Browser vendors get a > > veto on the rec." More, I think it should be read as "Are we > > producing > > > a spec that will be implemented and adhered to, or are we wasting > > our time." That's a very different message (although I will concede > > that the practical result may be similar.) I want to make the web a > > safer place, but I also don't want to waste my time in writing spec > > that > will never be adhered to. > > > > -Ian > > > > P.S. do you have a proposal for how to re-word C2? > > > > > > > > On Nov 19, 2007 3:22 PM, <michael.mccormick@wellsfargo.com > wrote: > > > > > > > > > > > Your perspective is totally valid Ian. And from that perspective, > > everything you said makes sense. > > > > > > But a different perspective is that of a skeptic who looks at WSC, > > > sees > > it's dominated & led by technology firms including some browser > > makers, reads in our acceptance criteria that W3C will only propose > > changes with guaranteed browser manufacturer uptake, and concludes > > the > game was rigged. > > The actions of certain browser manufacturers have made many people > > skeptical about whether browser makers really care about security. > > W3C needs to strive for an appearance of impartiality. If you can > > imagine how this process looks to a skeptical outsider, maybe you > > can understand why I still feel Criteria 2 should be reworded? > > > > > > I agree any WSC recommendation which faces resistance from the UA > > community needs serious discussion. I just don't think it should be > > automatically disqualified because browser makers don't like it. > > Which is what Criteria 2 seems to imply. > > > > > > Mike > > > > > > ________________________________ > > From: public-wsc-wg-request@w3.org > > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette > > > Sent: Monday, November 19, 2007 3:42 PM > > > To: McCormick, Mike > > > Cc: johnath@mozilla.com; public-wsc-wg@w3.org > > > > > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations > > > [All] > > > > > > > > > > > > I don't really view the recommendation as ammunition at all. I > > > think > > > > that > > most likely you have an environment where security is taken > > seriously, > > > in which both sides (UX and security) come together to make a > > reasonable decision, or you have an environment where security takes > > a > > > back seat. In the former, you don't really need to hold up a spec > > and have "ammo", in the latter, you're in trouble anyways, and I > > don't think a brand-new spec (which, let's face it, is not at all > > critical > > path) is going to change anything. > > > > > > My personal view is this (and it is only my personal view, feel > > > free > > > > to > > disagree). I want to see as many browsers fully-adopt as possible. > > If a browser is comfortable doing most of the things, and there are > > only a few minor holdouts, there may be willingness to give way and > > conform > > > on those minor holdout areas, for the sake of being able to claim > > conformance. If there is something in the spec that is just not > > going to happen, for whatever reason, and a decision is made not to > > conform, > > > then it makes it much easier to ignore all the other little things > > in the spec as well. Use whatever analogy you want (cracks in glass, > > faults, whatever), I just feel that if there is one thing that is > > going to cause non-conformance, it will likely spread and cause even > more non-conformance. > > > > > > As for "people won't like it" - this worries me a lot, perhaps > > > even more > > than "it won't work". If something drives users away to a less > > secure UA, that is like the worst of both worlds. It results in > > users being less protected, and if someone says "Adopting WSC-XIT > > caused a decline > > > in market share of X in our product" then that certainly doesn't > > speak > > > well for others deciding to adopt the rec, and also makes us look > > like > > > we're out in la-la land. > > > > > > If we are told / believe that a part of the recommendation is not > > > likely > > to be implemented, then we need to have a really serious discussion > > about whether that part should stay in, and what the likely affect > > on adoption of the overall proposal is. > > > > > > > > > On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com> wrote: > > > > > > > > > > > > > > > Hi Johnathan, > > > > > > > > No slight intended. But just as a matter of principle I don't > > > > believe > > "browser manufacturer adoption likelihood" should be a litmus test > > for > > > W3C recommendations (either browser manufacturers who participate in > > WSC or others). Criteria 2 should therefore be reworded or > > withdrawn > imho. > > > > > > > > I recognize a distinction between "it won't work" versus "people > > > > won't > > like it". I would certainly agree nothing in the former category > > should make it into wsc-xit. The latter category is the one I worry > > about. There are certain browser manufacturers (present company > > excluded) where it seems convenience, performance, or time-to-market > > frequently trumps security considerations. Even at a place like > > Mozilla where you don't have shareholders to answer to, I would > > imagine security versus convenience/speed trade-offs are difficult > > for > > > you as they are for the rest of us. Rather than view WSC as > > "calling browsers to heel", I view it as extra ammunition for the > > pro-security > faction to use in those internal debates. > > > > > > > > Cheers Mike > > > > > > > > ________________________________ > > From: public-wsc-wg-request@w3.org > > [mailto:public-wsc-wg-request@w3.org ] On Behalf Of Johnathan > > Nightingale > > > > Sent: Wednesday, November 14, 2007 5:03 PM > > > > To: W3C WSC Public > > > > > > > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty > > > > Recommendations > > > > > [All] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com> > > <michael.mccormick@wellsfargo.com > wrote: > > > > Criteria 2, at least as phrased below, concerns me. I don't > > > > feel WSC > > should be constrained from making a recommendation just because a > > particular community may resist adopting it. Our guidance on > > favicons > > > is a case in point. I'm skeptical browsers will adopt that > > recommendation any time soon but it's still the right thing to do. > > If > > > browser manufacturers could always be counted on to do the right > > things for security on their own, then initiatives like WSC would be > > less necessary. Criteria 2 could also reinforce a perception among > > some skeptics that W3C is beholden to certain web technology vendors > > and gives their needs priority over those of other industries or the > broader user community. > > > > > > > > Parenthetical: I'm not sure if there's an implied slight in > > > > there or not > > -- are we browser vendors assumed to be deliberately not doing the > > right things for security on our own? Is there some other interest > > we > > > are supposed to be serving than the well-being of our users? I > > can't speak for others, but I don't have any shareholders pulling my > > strings > > > here. The WSC has positive, constructive reasons for existing that > > don't trace themselves to "calling browsers to heel." > > > > > > > > > > > > > > > > I'm absolutely not sold on the idea that dropping favicons is > > > > the right > > thing to do, but without meaning to diverge from issue-117, I would > > agree that we shouldn't elevate any members of the working group as > > being more influential than others. I would also argue that > > recommendations for which we pat ourselves on the back, but which > > don't see any implementation anywhere, are mostly a waste of our > > time though. Whether it's content authors, browser authors, crypto > > researchers, or some other group, I would hope that "this won't work" > > would be a topic of significant consideration and concern to our > group. > > > > > > > > > > > > Cheers, > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > Johnathan Nightingale > > > > Human Shield > > > > johnath@mozilla.com > > > > > > > > > > > > > > > > > > > > > > > > > > > >
Received on Tuesday, 20 November 2007 22:07:47 UTC