Re: "industry standards" from Johnathan Nightingale on 2007-08-08 (public-wsc-wg@w3.org from August 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Wed, 8 Aug 2007 15:02:51 -0400
To: Thomas Roessler <tlr@w3.org>
Cc: public-wsc-wg@w3.org
Message-Id: <D7E97554-6DFB-4EF1-B2FF-12017B12F0F5@mozilla.com>

Thomas, all,

That clause was mostly intended as preventative medicine against  
cynical implementors who declare conformance by surfacing identity  
information, but who make no attempt to assess the quality of that  
information even as far as "CAs we trust vs. CAs we don't vs. Self- 
signed."  Maybe that's unnecessarily paranoid, but I wanted the rec  
to have teeth at least as far as the "reasonable person" doctrine for  
what constitutes a legitimate source of identity information (e.g.  
Not DNS.  :)

Do you think there is SHOULD language we can introduce that tries to  
keep people honest in this way, or do you view the exercise as  
unnecessary.

         User agents SHOULD rely on technologies which are designed  
to be resilient against identity fraud?
or:   User agents SHOULD employ information sources whose issuance  
includes verification of identifying information?

In the absence of a better alternative, I agree that it is better to  
drop the requirement than to leave it uselessly open-ended, but  
whereas the other "industry standard" bullet was replaced with  
something spirit-preservingly similar, it would be nice for this one  
to do likewise.

Cheers,

Johnathan

On 8-Aug-07, at 1:16 PM, Thomas Roessler wrote:

> Johnathan, all,
>
> in rewriting the "identity signal" part, I'll assume the agreement
> to drop the "MAY extend with industry standard stuff" also extended
> to the "SHOULD rely on technologies accepted as industry standards
> of indentification" clause.
>
> The argument against this is the same as for the other text: This is
> an open-ended normative reference, and it's actually more grave in a
> SHOULD than in a MAY.
>
> I'm therefore dropping the following text without replacement:
>
>      <p>User agents SHOULD rely on technologies which are accepted
>      as industry standards of identification when populating this
>      indicator.</p>
>
> Please speak up on the list if you disagree.
>
> Thanks,
> -- 
> Thomas Roessler, W3C  <tlr@w3.org>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Thursday, 9 August 2007 12:33:39 UTC