RE: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]

Hi Ian,
 
Thanks for sharing this.  I'm new to W3C so knowing this history helps
me understand where you guys were coming from with Criteria 2.  (What's
WHATWG?)
 
According to the SuccessBaseline page, C2 currently reads:
 
2. There is buy in and uptake of the recommendation by browsers, web
application developers, web site administrators, and users 
 
My suggested rewording:
 
2. Adoption and implementation of the recommendation by browsers, web
application developers, web site administrators, and users is
realistically feasible
 
I think this preserves the original intent of C2 (as I understand it)
while subtly shifting the emphasis from "buy in" to "feasibility".
 
Mike

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Monday, November 19, 2007 6:06 PM
To: McCormick, Mike
Cc: johnath@mozilla.com; public-wsc-wg@w3.org
Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]


Not sure if I really want to say this on the record or not, but here
goes. I have seen a lot of things where W3C has gone off the deep end.
Without getting into specifics, there's a reason that WHATWG was
started. Current politics of WHATWG / HTML5 / XHTML5 / whatever aside,
W3C was more or less going in a direction that browsers were not going
to follow, and it led to very bad things. The web hasn't been
standards-compliant for a long time, and that is not a good thing. I
would love to see more content conform to one of the HTML/XHTML/etc
standards, and I would love to see browsers doing the same. However, for
that to ever happen, the standards need to remain realistic and
relevant. If we start going off doing what we think would be "cool", or
even just "the right way" while ignoring realities, we risk going down
the same path that led to the WHATWG formation and subsequent politics. 

I agree that W3C should strive for impartiality, but at the same time
impartiality should not imply losing our grip on reality. (I realize
that's not what you're saying, I'm just saying that is what can happen
if we're not careful.) As to "criteria 2" and automatic disqualification
- I agree that we don't want it to appear that we're in collusion and
giving people a free pass. However, my concern is that if we feel we're
writing a spec that won't be adopted, what's the point? Great, we're
recommending "the right thing", but if no-one takes us up and commits to
that recommendation, what's the point? If I felt that we were going to
put out a recommendation that stood no chance of adoption, I'd quit the
working group tomorrow. 

I don't think that Criteria 2 is intended as "Browser vendors get a veto
on the rec." More, I think it should be read as "Are we producing a spec
that will be implemented and adhered to, or are we wasting our time."
That's a very different message (although I will concede that the
practical result may be similar.) I want to make the web a safer place,
but I also don't want to waste my time in writing spec that will never
be adhered to. 

-Ian

P.S. do you have a proposal for how to re-word C2?



On Nov 19, 2007 3:22 PM, <michael.mccormick@wellsfargo.com > wrote:


	Your perspective is totally valid Ian.  And from that
perspective, everything you said makes sense.
	 
	But a different perspective is that of a skeptic who looks at
WSC, sees it's dominated & led by technology firms including some
browser makers, reads in our acceptance criteria that W3C will only
propose changes with guaranteed browser manufacturer uptake, and
concludes the game was rigged.  The actions of certain browser
manufacturers have made many people skeptical about whether browser
makers really care about security.  W3C needs to strive for an
appearance of impartiality.  If you can imagine how this process looks
to a skeptical outsider, maybe you can understand why I still feel
Criteria 2 should be reworded?
	 
	I agree any WSC recommendation which faces resistance from the
UA community needs serious discussion.  I just don't think it should be
automatically disqualified because browser makers don't like it.  Which
is what Criteria 2 seems to imply.
	 
	Mike

  _____  

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette
	Sent: Monday, November 19, 2007 3:42 PM
	To: McCormick, Mike
	Cc: johnath@mozilla.com; public-wsc-wg@w3.org 

	Subject: Re: ISSUE-117 (serge): Eliminating Faulty
Recommendations [All]
	

	I don't really view the recommendation as ammunition at all. I
think that most likely you have an environment where security is taken
seriously, in which both sides (UX and security) come together to make a
reasonable decision, or you have an environment where security takes a
back seat. In the former, you don't really need to hold up a spec and
have "ammo", in the latter, you're in trouble anyways, and I don't think
a brand-new spec (which, let's face it, is not at all critical path) is
going to change anything. 
	
	My personal view is this (and it is only my personal view, feel
free to disagree). I want to see as many browsers fully-adopt as
possible. If a browser is comfortable doing most of the things, and
there are only a few minor holdouts, there may be willingness to give
way and conform on those minor holdout areas, for the sake of being able
to claim conformance. If there is something in the spec that is just not
going to happen, for whatever reason, and a decision is made not to
conform, then it makes it much easier to ignore all the other little
things in the spec as well. Use whatever analogy you want (cracks in
glass, faults, whatever), I just feel that if there is one thing that is
going to cause non-conformance, it will likely spread and cause even
more non-conformance. 
	
	As for "people won't like it" - this worries me a lot, perhaps
even more than "it won't work". If something drives users away to a less
secure UA, that is like the worst of both worlds. It results in users
being less protected, and if someone says "Adopting WSC-XIT caused a
decline in market share of X in our product" then that certainly doesn't
speak well for others deciding to adopt the rec, and also makes us look
like we're out in la-la land. 
	
	If we are told / believe that a part of the recommendation is
not likely to be implemented, then we need to have a really serious
discussion about whether that part should stay in, and what the likely
affect on adoption of the overall proposal is. 
	
	
	On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com>
wrote:
	

		Hi Johnathan,
		 
		No slight intended.  But just as a matter of principle I
don't believe "browser manufacturer adoption likelihood" should be a
litmus test for W3C recommendations (either browser manufacturers who
participate in WSC or others).  Criteria 2 should therefore be reworded
or withdrawn imho.
		 
		I recognize a distinction between "it won't work" versus
"people won't like it".  I would certainly agree nothing in the former
category should make it into wsc-xit.  The latter category is the one I
worry about.  There are certain browser manufacturers (present company
excluded) where it seems convenience, performance, or time-to-market
frequently trumps security considerations.  Even at a place like Mozilla
where you don't have shareholders to answer to, I would imagine security
versus convenience/speed trade-offs are difficult for you as they are
for the rest of us.  Rather than view WSC as "calling browsers to heel",
I view it as extra ammunition for the pro-security faction to use in
those internal debates.
		 
		Cheers Mike

  _____  

		From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org ] On Behalf Of Johnathan
Nightingale
		Sent: Wednesday, November 14, 2007 5:03 PM
		To: W3C WSC Public 

		Subject: Re: ISSUE-117 (serge): Eliminating Faulty
Recommendations [All]
		

		On 12-Nov-07, at 3:46 PM,
<michael.mccormick@wellsfargo.com> <michael.mccormick@wellsfargo.com >
wrote:

			Criteria 2, at least as phrased below, concerns
me.  I don't feel WSC should be constrained from making a recommendation
just because a particular community may resist adopting it.  Our
guidance on favicons is a case in point.  I'm skeptical browsers will
adopt that recommendation any time soon but it's still the right thing
to do.  If browser manufacturers could always be counted on to do the
right things for security on their own, then initiatives like WSC would
be less necessary.  Criteria 2 could also reinforce a perception among
some skeptics that W3C is beholden to certain web technology vendors and
gives their needs priority over those of other industries or the broader
user community.  


		Parenthetical: I'm not sure if there's an implied slight
in there or not -- are we browser vendors assumed to be deliberately not
doing the right things for security on our own?  Is there some other
interest we are supposed to be serving than the well-being of our users?
I can't speak for others, but I don't have any shareholders pulling my
strings here.  The WSC has positive, constructive reasons for existing
that don't trace themselves to "calling browsers to heel."
		

		I'm absolutely not sold on the idea that dropping
favicons is the right thing to do, but without meaning to diverge from
issue-117, I would agree that we shouldn't elevate any members of the
working group as being more influential than others.  I would also argue
that recommendations for which we pat ourselves on the back, but which
don't see any implementation anywhere, are mostly a waste of our time
though.  Whether it's content authors, browser authors, crypto
researchers, or some other group, I would hope that "this won't work"
would be a topic of significant consideration and concern to our group.

		Cheers,

		Johnathan

		
		---
		Johnathan Nightingale
		Human Shield
		johnath@mozilla.com

Received on Tuesday, 20 November 2007 16:04:29 UTC