W3C home > Mailing lists > Public > public-html@w3.org > August 2007

Re: [HDP] Secure by design

From: Joshue O Connor <joshue.oconnor@cfit.ie>
Date: Thu, 23 Aug 2007 09:38:33 +0100
Message-ID: <46CD4789.1040207@cfit.ie>
To: Robert Burns <rob@robburns.com>
Cc: Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-html <public-html@w3.org>

Robert Burns wrote:
>f it said more
> about the inherent security versus accessibility issues I missed it.

Here are some better examples. [1] [2] The issues being referred to in
these references are not the show stoppers that they were are the time
but they are interesting as they indicate what *can* happen when
security needs and accessibility requirements are in conflict ,either
due to the needs of one domain (in this case security) taking precedence
over the needs of a minority group of users, in this case screen reader
users.

>> I will say that DRM, as hated as it is, is still very much the same
>> security we're talking about here. Although security is a part of
>> denying access (as the DRM case drives home), we should still seek to
>> ensure security even if we know it might be misused (as DRM so often is).

I also think DRM is a useful example, although Lachlan disagrees. It is
a slightly different domain but only slightly to what we are discussing
as it does deal with providing security to content delivered over
HTTP/FTP protocols - but IMO it is not an entirely inappropriate model
to reference.

>> I think Captchas are an excellent example of where accessibility may be
>> neglected in order to provide security

It is a better example considering our domain.

>> However, security and accessibility do not have to be at odds. I've
>> heard it said the three 'As of security are authentication, authority
>> and access. 

They don't have to be at odds but my point is that they often are in
their real world application. The two examples we are discussing are
indicative, and I will suggest that we will see more as technology
develops. However, what could reduce the chance of this happening:

1) An acknowledgment that there is an issue here. That security and
accessibility are not always comfortable bedfellows.
2) The need to find ways of increasing security but not at the expense
of accessibility or usability.
3) A greater understanding amongst the developers of secure web
applications of how Assistive Technology works and why some
implementation/methods/ features can impact negatively on users.

Rob mention the three A's. What are the three A's? They are principles.
My objection to the 'Secure by design' principle is that it does not
take responsibility in an explicit recognition of the negative effect it
can have on the accessibility domain.

[1] http://www.adobe.com/products/acrobat/access_book3.html (Go to
section How to Create Accessible Adobe PDF Files >
Security with accessible text.)

[2] http://www.washington.edu/accessit/articles?2
Received on Thursday, 23 August 2007 08:38:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:48 UTC