- From: Rich Schwerdtfeger <richschwer@gmail.com>
- Date: Sat, 9 Apr 2016 12:00:46 -0500
- To: James Nurthen <james.nurthen@oracle.com>
- Cc: John Foliot <john.foliot@deque.com>, public-aria@w3.org
- Message-Id: <8CADE1C5-8C60-43C8-B63C-E17B27384D8D@gmail.com>
That is my opinion as well. Sent from my iPhone > On Apr 8, 2016, at 12:57 PM, James Nurthen <james.nurthen@oracle.com> wrote: > > John, > My issue with this whole "evil author" thing is that an "evil author" can do exactly what you are talking about today without the need for a password role. Why are we getting hung up on this? > Regards, > James > >> On 4/8/2016 10:54 AM, John Foliot wrote: >> Hi all, >> >> Outside of SVG, are there any other W3C mark-up languages where this is a problem? >> Is the lack of ability to create a password field in SVG the primary driver of this request/need today? >> Could the “native semantic” issue (and related security/privacy concerns) be dealt with inside of the SVG spec instead? >> >> One of my ongoing concerns is with giving an author (any author, from IBM or Oracle to Dr. Evil and his Merry Band of Tricksters) a carte-blanche ability to imply some sense of security and privacy on a custom, author-supplied widget. Saying we can't impose behavior on a custom control via ARIA is one thing, turning around and giving authors the ability to be untruthful about it is a whole other kettle of fish, and I am troubled that we may not be looking at how this proposed attribute might be used maliciously, with the express attempt to deceive. >> >> It is my hope that this question also be contemplated in a security review. >> >> JF >> -- >> John Foliot >> Principal Accessibility Strategist >> Austin, TX >> >> Deque Systems Inc. >> 2121 Cooperative Way, Suite 210, >> Herndon, VA 20171-5344 >> Office: 703-225-0380 >> john.foliot@deque.com >> >> Advancing the mission of digital accessibility and inclusion >> >> >> >> From: Richard Schwerdtfeger [mailto:richschwer@gmail.com] >> Sent: Friday, April 8, 2016 11:44 AM >> To: James Nurthen <james.nurthen@oracle.com> >> Cc: public-aria@w3.org >> Subject: Re: Security Evaluation Request >> >> You cannot make an accessible password field in SVG without it. >> >> On Apr 8, 2016, at 11:40 AM, James Nurthen <james.nurthen@oracle.com> wrote: >> >> >> >> On 4/8/2016 9:37 AM, Gervase Markham wrote: >> On 08/04/16 17:22, Richard Schwerdtfeger wrote: >> Companies do not use standard HTML markup when they feel it does not >> meet their needs. It really does not have anything to do with whether >> the markup is semantically correct. This is happening now and we >> don’t even have a password role. Companies that must do this for >> business reasons need a way to make it accessible. >> They have a way to make it accessible - use a proper password field. So >> what you are asking for is actually a second way to make it accessible. >> What happens if some company then comes forward and says they can't use >> your solution because for security reasons they aren't allowed to label >> the field "password" in any way. What do you do then? Invent an alias >> and call it "type='mrblobby'"? >> >> There is only a certain distance one should go to accommodate ridiculous >> corporate requests. "We want to do passwords but don't want to use >> password fields" is a user-hostile request (both for users requiring >> accessibility technology and other users) and should be treated as such. >> How can someone create a password field in SVG without this? >> >> Regards, >> James >> >> >> >> The bigger issue is that passwords as a technology have long outlived >> their usefulness. The growing world aging population has issues >> remembering passwords for all the sites they have to gain access to >> so they often use a simple, short, easy to remember password across >> all the sites creating a security issue. To this end even HTML’s >> password is a security risk as it is much easier to hack. This can >> result in identity theft and a whole litany of issues. Captchas are >> also a huge problem for aging users. >> This may be so; but encouraging people to use non-password fields for >> passwords and so avoiding all the software people are using to help them >> manage the password problem (which does make things better) doesn't help. >> >> Gerv >> >> >> -- >> Regards, James >> <oracle_sig_logo.gif> >> James Nurthen | Principal Engineer, Accessibility >> Phone: +1 650 506 6781 | Mobile: +1 415 987 1918 | Video: james.nurthen@oracle.com >> Oracle Corporate Architecture >> 500 Oracle Parkway | Redwood Cty, CA 94065 >> <green-for-email-sig_0.gif> Oracle is committed to developing practices and products that help protect the environment > > -- > Regards, James > <oracle_sig_logo.gif> > James Nurthen | Principal Engineer, Accessibility > Phone: +1 650 506 6781 | Mobile: +1 415 987 1918 | Video: james.nurthen@oracle.com > Oracle Corporate Architecture > 500 Oracle Parkway | Redwood Cty, CA 94065 > <green-for-email-sig_0.gif> Oracle is committed to developing practices and products that help protect the environment
Received on Saturday, 9 April 2016 17:01:16 UTC