- From: Ian Fette <ifette@google.com>
- Date: Mon, 19 Nov 2007 13:42:05 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: johnath@mozilla.com, public-wsc-wg@w3.org
- Message-ID: <bbeaa26f0711191342g5d964421wc719a6efc7da5384@mail.gmail.com>
I don't really view the recommendation as ammunition at all. I think that most likely you have an environment where security is taken seriously, in which both sides (UX and security) come together to make a reasonable decision, or you have an environment where security takes a back seat. In the former, you don't really need to hold up a spec and have "ammo", in the latter, you're in trouble anyways, and I don't think a brand-new spec (which, let's face it, is not at all critical path) is going to change anything. My personal view is this (and it is only my personal view, feel free to disagree). I want to see as many browsers fully-adopt as possible. If a browser is comfortable doing most of the things, and there are only a few minor holdouts, there may be willingness to give way and conform on those minor holdout areas, for the sake of being able to claim conformance. If there is something in the spec that is just not going to happen, for whatever reason, and a decision is made not to conform, then it makes it much easier to ignore all the other little things in the spec as well. Use whatever analogy you want (cracks in glass, faults, whatever), I just feel that if there is one thing that is going to cause non-conformance, it will likely spread and cause even more non-conformance. As for "people won't like it" - this worries me a lot, perhaps even more than "it won't work". If something drives users away to a less secure UA, that is like the worst of both worlds. It results in users being less protected, and if someone says "Adopting WSC-XIT caused a decline in market share of X in our product" then that certainly doesn't speak well for others deciding to adopt the rec, and also makes us look like we're out in la-la land. If we are told / believe that a part of the recommendation is not likely to be implemented, then we need to have a really serious discussion about whether that part should stay in, and what the likely affect on adoption of the overall proposal is. On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com> wrote: > Hi Johnathan, > > No slight intended. But just as a matter of principle I don't believe > "browser manufacturer adoption likelihood" should be a litmus test for W3C > recommendations (either browser manufacturers who participate in WSC or > others). Criteria 2 should therefore be reworded or withdrawn imho. > > I recognize a distinction between "it won't work" versus "people won't > like it". I would certainly agree nothing in the former category should > make it into wsc-xit. The latter category is the one I worry about. There > are certain browser manufacturers (present company excluded) where it seems > convenience, performance, or time-to-market frequently trumps security > considerations. Even at a place like Mozilla where you don't have > shareholders to answer to, I would imagine security versus convenience/speed > trade-offs are difficult for you as they are for the rest of us. Rather > than view WSC as "calling browsers to heel", I view it as extra ammunition > for the pro-security faction to use in those internal debates. > > Cheers Mike > > ------------------------------ > *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > *On Behalf Of *Johnathan Nightingale > *Sent:* Wednesday, November 14, 2007 5:03 PM > *To:* W3C WSC Public > *Subject:* Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] > > On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com> < > michael.mccormick@wellsfargo.com> wrote: > > Criteria 2, at least as phrased below, concerns me. I don't feel WSC > should be constrained from making a recommendation just because a particular > community may resist adopting it. Our guidance on favicons is a case in > point. I'm skeptical browsers will adopt that recommendation any time soon > but it's still the right thing to do. If browser manufacturers could always > be counted on to do the right things for security on their own, then > initiatives like WSC would be less necessary. Criteria 2 could also > reinforce a perception among some skeptics that W3C is beholden to certain > web technology vendors and gives their needs priority over those of other > industries or the broader user community. > > > Parenthetical: I'm not sure if there's an implied slight in there or not > -- are we browser vendors assumed to be deliberately not doing the right > things for security on our own? Is there some other interest we are > supposed to be serving than the well-being of our users? I can't speak for > others, but I don't have any shareholders pulling my strings here. The WSC > has positive, constructive reasons for existing that don't trace themselves > to "calling browsers to heel." > > I'm absolutely not sold on the idea that dropping favicons is the right > thing to do, but without meaning to diverge from issue-117, I would agree > that we shouldn't elevate any members of the working group as being more > influential than others. I would also argue that recommendations for which > we pat ourselves on the back, but which don't see any implementation > anywhere, are mostly a waste of our time though. Whether it's content > authors, browser authors, crypto researchers, or some other group, I would > hope that "this won't work" would be a topic of significant consideration > and concern to our group. > > Cheers, > > Johnathan > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > >
Received on Monday, 19 November 2007 21:42:56 UTC