W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]

From: Ian Fette <ifette@google.com>
Date: Mon, 19 Nov 2007 16:05:31 -0800
Message-ID: <bbeaa26f0711191605p1419257bt1ee3ac8d18664470@mail.gmail.com>
To: michael.mccormick@wellsfargo.com
Cc: johnath@mozilla.com, public-wsc-wg@w3.org
Not sure if I really want to say this on the record or not, but here goes. I
have seen a lot of things where W3C has gone off the deep end. Without
getting into specifics, there's a reason that WHATWG was started. Current
politics of WHATWG / HTML5 / XHTML5 / whatever aside, W3C was more or less
going in a direction that browsers were not going to follow, and it led to
very bad things. The web hasn't been standards-compliant for a long time,
and that is not a good thing. I would love to see more content conform to
one of the HTML/XHTML/etc standards, and I would love to see browsers doing
the same. However, for that to ever happen, the standards need to remain
realistic and relevant. If we start going off doing what we think would be
"cool", or even just "the right way" while ignoring realities, we risk going
down the same path that led to the WHATWG formation and subsequent politics.

I agree that W3C should strive for impartiality, but at the same time
impartiality should not imply losing our grip on reality. (I realize that's
not what you're saying, I'm just saying that is what can happen if we're not
careful.) As to "criteria 2" and automatic disqualification - I agree that
we don't want it to appear that we're in collusion and giving people a free
pass. However, my concern is that if we feel we're writing a spec that won't
be adopted, what's the point? Great, we're recommending "the right thing",
but if no-one takes us up and commits to that recommendation, what's the
point? If I felt that we were going to put out a recommendation that stood
no chance of adoption, I'd quit the working group tomorrow.

I don't think that Criteria 2 is intended as "Browser vendors get a veto on
the rec." More, I think it should be read as "Are we producing a spec that
will be implemented and adhered to, or are we wasting our time." That's a
very different message (although I will concede that the practical result
may be similar.) I want to make the web a safer place, but I also don't want
to waste my time in writing spec that will never be adhered to.

-Ian

P.S. do you have a proposal for how to re-word C2?


On Nov 19, 2007 3:22 PM, <michael.mccormick@wellsfargo.com> wrote:

>  Your perspective is totally valid Ian.  And from that perspective,
> everything you said makes sense.
>
> But a different perspective is that of a skeptic who looks at WSC, sees
> it's dominated & led by technology firms including some browser makers,
> reads in our acceptance criteria that W3C will only propose changes with
> guaranteed browser manufacturer uptake, and concludes the game was rigged.
> The actions of certain browser manufacturers have made many people skeptical
> about whether browser makers really care about security.  W3C needs to
> strive for an appearance of impartiality.  If you can imagine how this
> process looks to a skeptical outsider, maybe you can understand why I still
> feel Criteria 2 should be reworded?
>
> I agree any WSC recommendation which faces resistance from the UA
> community needs serious discussion.  I just don't think it should be
> automatically disqualified because browser makers don't like it.  Which is
> what Criteria 2 seems to imply.
>
> Mike
>
>  ------------------------------
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Ian Fette
> *Sent:* Monday, November 19, 2007 3:42 PM
> *To:* McCormick, Mike
> *Cc:* johnath@mozilla.com; public-wsc-wg@w3.org
> *Subject:* Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]
>
> I don't really view the recommendation as ammunition at all. I think that
> most likely you have an environment where security is taken seriously, in
> which both sides (UX and security) come together to make a reasonable
> decision, or you have an environment where security takes a back seat. In
> the former, you don't really need to hold up a spec and have "ammo", in the
> latter, you're in trouble anyways, and I don't think a brand-new spec
> (which, let's face it, is not at all critical path) is going to change
> anything.
>
> My personal view is this (and it is only my personal view, feel free to
> disagree). I want to see as many browsers fully-adopt as possible. If a
> browser is comfortable doing most of the things, and there are only a few
> minor holdouts, there may be willingness to give way and conform on those
> minor holdout areas, for the sake of being able to claim conformance. If
> there is something in the spec that is just not going to happen, for
> whatever reason, and a decision is made not to conform, then it makes it
> much easier to ignore all the other little things in the spec as well. Use
> whatever analogy you want (cracks in glass, faults, whatever), I just feel
> that if there is one thing that is going to cause non-conformance, it will
> likely spread and cause even more non-conformance.
>
> As for "people won't like it" - this worries me a lot, perhaps even more
> than "it won't work". If something drives users away to a less secure UA,
> that is like the worst of both worlds. It results in users being less
> protected, and if someone says "Adopting WSC-XIT caused a decline in market
> share of X in our product" then that certainly doesn't speak well for others
> deciding to adopt the rec, and also makes us look like we're out in la-la
> land.
>
> If we are told / believe that a part of the recommendation is not likely
> to be implemented, then we need to have a really serious discussion about
> whether that part should stay in, and what the likely affect on adoption of
> the overall proposal is.
>
> On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com> wrote:
>
> >  Hi Johnathan,
> >
> > No slight intended.  But just as a matter of principle I don't believe
> > "browser manufacturer adoption likelihood" should be a litmus test for W3C
> > recommendations (either browser manufacturers who participate in WSC or
> > others).  Criteria 2 should therefore be reworded or withdrawn imho.
> >
> > I recognize a distinction between "it won't work" versus "people won't
> > like it".  I would certainly agree nothing in the former category should
> > make it into wsc-xit.  The latter category is the one I worry about.  There
> > are certain browser manufacturers (present company excluded) where it seems
> > convenience, performance, or time-to-market frequently trumps security
> > considerations.  Even at a place like Mozilla where you don't have
> > shareholders to answer to, I would imagine security versus convenience/speed
> > trade-offs are difficult for you as they are for the rest of us.  Rather
> > than view WSC as "calling browsers to heel", I view it as extra ammunition
> > for the pro-security faction to use in those internal debates.
> >
> > Cheers Mike
> >
> >  ------------------------------
> > *From:* public-wsc-wg-request@w3.org [mailto:
> > public-wsc-wg-request@w3.org] *On Behalf Of *Johnathan Nightingale
> > *Sent:* Wednesday, November 14, 2007 5:03 PM
> > *To:* W3C WSC Public
> > *Subject:* Re: ISSUE-117 (serge): Eliminating Faulty Recommendations
> > [All]
> >
> >    On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com> <
> > michael.mccormick@wellsfargo.com> wrote:
> >
> > Criteria 2, at least as phrased below, concerns me.  I don't feel WSC
> > should be constrained from making a recommendation just because a particular
> > community may resist adopting it.  Our guidance on favicons is a case in
> > point.  I'm skeptical browsers will adopt that recommendation any time soon
> > but it's still the right thing to do.  If browser manufacturers could always
> > be counted on to do the right things for security on their own, then
> > initiatives like WSC would be less necessary.  Criteria 2 could also
> > reinforce a perception among some skeptics that W3C is beholden to certain
> > web technology vendors and gives their needs priority over those of other
> > industries or the broader user community.
> >
> >
> > Parenthetical: I'm not sure if there's an implied slight in there or not
> > -- are we browser vendors assumed to be deliberately not doing the right
> > things for security on our own?  Is there some other interest we are
> > supposed to be serving than the well-being of our users?  I can't speak for
> > others, but I don't have any shareholders pulling my strings here.  The WSC
> > has positive, constructive reasons for existing that don't trace themselves
> > to "calling browsers to heel."
> >
> > I'm absolutely not sold on the idea that dropping favicons is the right
> > thing to do, but without meaning to diverge from issue-117, I would agree
> > that we shouldn't elevate any members of the working group as being more
> > influential than others.  I would also argue that recommendations for which
> > we pat ourselves on the back, but which don't see any implementation
> > anywhere, are mostly a waste of our time though.  Whether it's content
> > authors, browser authors, crypto researchers, or some other group, I would
> > hope that "this won't work" would be a topic of significant consideration
> > and concern to our group.
> >
> > Cheers,
> >
> > Johnathan
> >
> >   ---
> > Johnathan Nightingale
> > Human Shield
> > johnath@mozilla.com
> >
> >
> >
> >
>
Received on Tuesday, 20 November 2007 00:05:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT