RE: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] from michael.mccormick@wellsfargo.com on 2007-11-19 (public-wsc-wg@w3.org from November 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 19 Nov 2007 17:22:57 -0600
To: <ifette@google.com>
Cc: <johnath@mozilla.com>, <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164D7CD470@msgswbmnmsp17.wellsfargo.com>
Your perspective is totally valid Ian.  And from that perspective,
everything you said makes sense.
 
But a different perspective is that of a skeptic who looks at WSC, sees
it's dominated & led by technology firms including some browser makers,
reads in our acceptance criteria that W3C will only propose changes with
guaranteed browser manufacturer uptake, and concludes the game was
rigged.  The actions of certain browser manufacturers have made many
people skeptical about whether browser makers really care about
security.  W3C needs to strive for an appearance of impartiality.  If
you can imagine how this process looks to a skeptical outsider, maybe
you can understand why I still feel Criteria 2 should be reworded?
 
I agree any WSC recommendation which faces resistance from the UA
community needs serious discussion.  I just don't think it should be
automatically disqualified because browser makers don't like it.  Which
is what Criteria 2 seems to imply.
 
Mike

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: Monday, November 19, 2007 3:42 PM
To: McCormick, Mike
Cc: johnath@mozilla.com; public-wsc-wg@w3.org
Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]


I don't really view the recommendation as ammunition at all. I think
that most likely you have an environment where security is taken
seriously, in which both sides (UX and security) come together to make a
reasonable decision, or you have an environment where security takes a
back seat. In the former, you don't really need to hold up a spec and
have "ammo", in the latter, you're in trouble anyways, and I don't think
a brand-new spec (which, let's face it, is not at all critical path) is
going to change anything. 

My personal view is this (and it is only my personal view, feel free to
disagree). I want to see as many browsers fully-adopt as possible. If a
browser is comfortable doing most of the things, and there are only a
few minor holdouts, there may be willingness to give way and conform on
those minor holdout areas, for the sake of being able to claim
conformance. If there is something in the spec that is just not going to
happen, for whatever reason, and a decision is made not to conform, then
it makes it much easier to ignore all the other little things in the
spec as well. Use whatever analogy you want (cracks in glass, faults,
whatever), I just feel that if there is one thing that is going to cause
non-conformance, it will likely spread and cause even more
non-conformance. 

As for "people won't like it" - this worries me a lot, perhaps even more
than "it won't work". If something drives users away to a less secure
UA, that is like the worst of both worlds. It results in users being
less protected, and if someone says "Adopting WSC-XIT caused a decline
in market share of X in our product" then that certainly doesn't speak
well for others deciding to adopt the rec, and also makes us look like
we're out in la-la land. 

If we are told / believe that a part of the recommendation is not likely
to be implemented, then we need to have a really serious discussion
about whether that part should stay in, and what the likely affect on
adoption of the overall proposal is. 


On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com> wrote:


	Hi Johnathan,
	 
	No slight intended.  But just as a matter of principle I don't
believe "browser manufacturer adoption likelihood" should be a litmus
test for W3C recommendations (either browser manufacturers who
participate in WSC or others).  Criteria 2 should therefore be reworded
or withdrawn imho.
	 
	I recognize a distinction between "it won't work" versus "people
won't like it".  I would certainly agree nothing in the former category
should make it into wsc-xit.  The latter category is the one I worry
about.  There are certain browser manufacturers (present company
excluded) where it seems convenience, performance, or time-to-market
frequently trumps security considerations.  Even at a place like Mozilla
where you don't have shareholders to answer to, I would imagine security
versus convenience/speed trade-offs are difficult for you as they are
for the rest of us.  Rather than view WSC as "calling browsers to heel",
I view it as extra ammunition for the pro-security faction to use in
those internal debates.
	 
	Cheers Mike

  _____  

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Johnathan Nightingale
	Sent: Wednesday, November 14, 2007 5:03 PM
	To: W3C WSC Public 

	Subject: Re: ISSUE-117 (serge): Eliminating Faulty
Recommendations [All]
	

	On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com>
<michael.mccormick@wellsfargo.com> wrote:

		Criteria 2, at least as phrased below, concerns me.  I
don't feel WSC should be constrained from making a recommendation just
because a particular community may resist adopting it.  Our guidance on
favicons is a case in point.  I'm skeptical browsers will adopt that
recommendation any time soon but it's still the right thing to do.  If
browser manufacturers could always be counted on to do the right things
for security on their own, then initiatives like WSC would be less
necessary.  Criteria 2 could also reinforce a perception among some
skeptics that W3C is beholden to certain web technology vendors and
gives their needs priority over those of other industries or the broader
user community.  


	Parenthetical: I'm not sure if there's an implied slight in
there or not -- are we browser vendors assumed to be deliberately not
doing the right things for security on our own?  Is there some other
interest we are supposed to be serving than the well-being of our users?
I can't speak for others, but I don't have any shareholders pulling my
strings here.  The WSC has positive, constructive reasons for existing
that don't trace themselves to "calling browsers to heel."
	

	I'm absolutely not sold on the idea that dropping favicons is
the right thing to do, but without meaning to diverge from issue-117, I
would agree that we shouldn't elevate any members of the working group
as being more influential than others.  I would also argue that
recommendations for which we pat ourselves on the back, but which don't
see any implementation anywhere, are mostly a waste of our time though.
Whether it's content authors, browser authors, crypto researchers, or
some other group, I would hope that "this won't work" would be a topic
of significant consideration and concern to our group.

	Cheers,

	Johnathan

	
	---
	Johnathan Nightingale
	Human Shield
	johnath@mozilla.com
Received on Monday, 19 November 2007 23:26:24 UTC