Re: ARIA password role from Rich Schwerdtfeger on 2016-05-02 (public-webappsec@w3.org from May 2016)

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Mon, 2 May 2016 13:06:49 -0500
To: Brad Hill <hillbrad@gmail.com>, Janina Sajka <janina@rednote.net>
Cc: Brad Hill <hillbrad@fb.com>, dvedits@mozilla.com, ARIA Working Group <public-aria@w3.org>, public-webappsec@w3.org, Mike Cooper <cooper@w3.org>
Message-Id: <B002DEC5-41ED-42CD-B420-9FB5C165D008@gmail.com>

True. Are the other browser manufacturers planning to provide similar security indicators? 

We need to make sure AT Vendors report the indicators across browsers. I don’t know who would coordinate that with AT vendors (the APA working group or ARIA) but I will discuss that with the rest of the ARIA Working Group Thursday. 

Based on your input I believe our password role definition is sound. We just need to work with AT vendors on this and ensuring they render text properly. 

Regards, 

Rich


Rich Schwerdtfeger




> On May 2, 2016, at 11:01 AM, Brad Hill <hillbrad@gmail.com> wrote:
> 
> I'm not sure that even #1 is necessary.  There is no such notification for without AT for users interacting with fields that "behave like" password fields but aren't <input type=password>.  A meaningful trust decision can only be made by examining the address bar to verify the identity of the resource and that it was delivered securely.
> 
> On Mon, May 2, 2016 at 8:59 AM Rich Schwerdtfeger <richschwer@gmail.com <mailto:richschwer@gmail.com>> wrote:
> Brad, 
> 
> Thank you for responding to us so quickly. I gather that you don’t see it is necessary to have a joint meeting on the security issues related to an ARIA password role. 
> 
> Let me try and summarize what you deem to the best course of action:
> 
> 1. Ensure that the assistive technology is conveyed that this is a custom password role versus the standard HTML password role and this should be conveyed in our specification. 
> 2. With this addition the password role text is acceptable: https://rawgit.com/w3c/aria/password-role/aria/aria.html#password <https://rawgit.com/w3c/aria/password-role/aria/aria.html#password>
> 3. Although this is separate from ARIA, work with AT vendors to ensure that they notify the AT user of the state of security indicators in browsers: https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords <https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords>
> 
> If you agree with this summary the ARIA Working Group will  proceed on this advice. 
> 
> Rich
> 
> Rich Schwerdtfeger
> Chair, ARIA Working Group
> 
> 
>

Received on Monday, 2 May 2016 18:07:20 UTC