W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

RE: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]

From: Luis Barriga <luis.barriga@ericsson.com>
Date: Tue, 20 Nov 2007 23:07:20 +0100
Message-ID: <1C6A13C92F510849B72272A71F9F3BCB023D4655@esealmw105.eemea.ericsson.se>
To: <public-wsc-wg@w3.org>
Cc: "Ian Fette" <ifette@google.com>, <michael.mccormick@wellsfargo.com>

Look-and-feel has often been a distinguishing factor for brands offering
UI-based user services. That mindset is good for competitive reasons,
but what we are saying is that such a mindset should not extend to a
baseline of security indicators that we are recommending.

Is there a minimal set (baseline) of recommendations that we agree MUST
be supported?

Luis

> -----Original Message-----
> From: Ian Fette [mailto:ifette@google.com]
>
> Sent: Tuesday, November 20, 2007 11:21 AM
> To: McCormick, Mike
> Cc: public-wsc-wg@w3.org
> Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations 
> [All]
>
> I understand the intent of "realistically feasible", but it sounds 
> like we now are giving ourselves waaay too much wiggle room. For 
> instance, we might think something "realistically feasible", but the 
> browser vendors have a much better idea of their own market and its 
> willingness to put up with our machinations. Thus, what seems feasible

> to us might seem totally ludicrous to them.
>
> Buy-in acts also as a forcing function - it forces us to open up a 
> dialog, which frankly is lacking right now (not necessarily due to the

> fault of our group, but I really think that we do at least need to 
> have some sort of discussion with the folks at MS and Apple, 
> regardless on whether they join the WG or not, to at least get a 
> reality check from
> them.) I think this forcing function would be a very good motivator. 
> I'm not trying to say that the spec is contingent upon MS approval or 
> anything of the sort, nor do I lose sleep over whether MSFT will join 
> WSC. I just really want that dialog to happen, "officially" or 
> unofficially, I just think it's unhealthy the way things are moving 
> forward.
>
> @Mike:
> "The WHATWG is a growing community of people interested in evolving 
> the Web. It focuses primarily on the development of HTML and APIs 
> needed for Web applications.
>
> The WHATWG was founded by individuals of Apple, the Mozilla 
> Foundation, and Opera Software in 2004, after a W3C workshop. Apple, 
> Mozilla and Opera were becoming increasingly concerned about the W3C's

> direction with XHTML, lack of interest in HTML and apparent disregard 
> for the needs of real-world authors. So, in response, these 
> organisations set out with a mission to address these concerns and the

> Web Hypertext Application Technology Working Group was born. " (From 
> WHATWG FAQ)
>
> WHATWG basically took over the spec for HTML5, because people believed

> W3C was just out of it. Unlike W3C, there was no cost to participate, 
> and the mailing lists have been much more active than the W3C lists...
> since then WHATWG and the W3C are now "working on the same 
> specification", which is a very strange arrangement and not entirely 
> clear what it means.
>
> If you want more information beyond that, I don't really trust myself 
> to be an accurate and unbiased source on the matter. I would point you

> to @tlr, but I have no idea if he wants to go down this particular
rathole.
> Perhaps offline, or on the member list, you might have better luck.
>
>
>
> On Nov 20, 2007 8:03 AM,  <michael.mccormick@wellsfargo.com> wrote:
> >
> >
> > Hi Ian,
> >
> > Thanks for sharing this.  I'm new to W3C so knowing this history 
> > helps
>
> > me understand where you guys were coming from with Criteria 2.
> > (What's
> > WHATWG?)
> >
> > According to the SuccessBaseline page, C2 currently reads:
> >
> > 2. There is buy in and uptake of the recommendation by browsers, web

> > application developers, web site administrators, and users
> >
> > My suggested rewording:
> >
> > 2. Adoption and implementation of the recommendation by browsers, 
> > web application developers, web site administrators, and users is 
> > realistically feasible
> >
> > I think this preserves the original intent of C2 (as I understand 
> > it) while subtly shifting the emphasis from "buy in" to
"feasibility".
> >
> > Mike
> >
> >  ________________________________
> >  From: Ian Fette [mailto:ifette@google.com]
> > Sent: Monday, November 19, 2007 6:06 PM
> >
> >
> > To: McCormick, Mike
> > Cc: johnath@mozilla.com; public-wsc-wg@w3.org
> > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations 
> > [All]
> >
> >
> >
> > Not sure if I really want to say this on the record or not, but here

> > goes. I have seen a lot of things where W3C has gone off the deep
end.
>
> > Without getting into specifics, there's a reason that WHATWG was 
> > started. Current politics of WHATWG / HTML5 / XHTML5 / whatever 
> > aside,
>
> > W3C was more or less going in a direction that browsers were not 
> > going
>
> > to follow, and it led to very bad things. The web hasn't been 
> > standards-compliant for a long time, and that is not a good thing. I

> > would love to see more content conform to one of the HTML/XHTML/etc 
> > standards, and I would love to see browsers doing the same. However,

> > for that to ever happen, the standards need to remain realistic and 
> > relevant. If we start going off doing what we think would be "cool",

> > or even just "the right way" while ignoring realities, we risk going
> down the same path that led to the WHATWG formation and subsequent 
> politics.
> >
> > I agree that W3C should strive for impartiality, but at the same 
> > time impartiality should not imply losing our grip on reality. (I 
> > realize that's not what you're saying, I'm just saying that is what 
> > can happen
>
> > if we're not
> > careful.) As to "criteria 2" and automatic disqualification - I 
> > agree that we don't want it to appear that we're in collusion and 
> > giving people a free pass. However, my concern is that if we feel 
> > we're writing a spec that won't be adopted, what's the point? Great,

> > we're recommending "the right thing", but if no-one takes us up and 
> > commits to that recommendation, what's the point? If I felt that we 
> > were going
>
> > to put out a recommendation that stood no chance of adoption, I'd 
> > quit
> the working group tomorrow.
> >
> > I don't think that Criteria 2 is intended as "Browser vendors get a 
> > veto on the rec." More, I think it should be read as "Are we 
> > producing
>
> > a spec that will be implemented and adhered to, or are we wasting 
> > our time." That's a very different message (although I will concede 
> > that the practical result may be similar.) I want to make the web a 
> > safer place, but I also don't want to waste my time in writing spec 
> > that
> will never be adhered to.
> >
> > -Ian
> >
> > P.S. do you have a proposal for how to re-word C2?
> >
> >
> >
> > On Nov 19, 2007 3:22 PM, <michael.mccormick@wellsfargo.com > wrote:
> >
> > >
> > >
> > > Your perspective is totally valid Ian.  And from that perspective,
> > everything you said makes sense.
> > >
> > > But a different perspective is that of a skeptic who looks at WSC,

> > > sees
> > it's dominated & led by technology firms including some browser 
> > makers, reads in our acceptance criteria that W3C will only propose 
> > changes with guaranteed browser manufacturer uptake, and concludes 
> > the
> game was rigged.
> > The actions of certain browser manufacturers have made many people 
> > skeptical about whether browser makers really care about security.
> > W3C needs to strive for an appearance of impartiality.  If you can 
> > imagine how this process looks to a skeptical outsider, maybe you 
> > can understand why I still feel Criteria 2 should be reworded?
> > >
> > > I agree any WSC recommendation which faces resistance from the UA
> > community needs serious discussion.  I just don't think it should be

> > automatically disqualified because browser makers don't like it.
> > Which is what Criteria 2 seems to imply.
> > >
> > > Mike
> > >
> > > ________________________________
> >  From: public-wsc-wg-request@w3.org
> > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette
> > > Sent: Monday, November 19, 2007 3:42 PM
> > > To: McCormick, Mike
> > > Cc: johnath@mozilla.com; public-wsc-wg@w3.org
> > >
> > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations

> > > [All]
> > >
> > >
> > >
> > > I don't really view the recommendation as ammunition at all. I 
> > > think
>
> > > that
> > most likely you have an environment where security is taken 
> > seriously,
>
> > in which both sides (UX and security) come together to make a 
> > reasonable decision, or you have an environment where security takes

> > a
>
> > back seat. In the former, you don't really need to hold up a spec 
> > and have "ammo", in the latter, you're in trouble anyways, and I 
> > don't think a brand-new spec (which, let's face it, is not at all 
> > critical
> > path) is going to change anything.
> > >
> > > My personal view is this (and it is only my personal view, feel 
> > > free
>
> > > to
> > disagree). I want to see as many browsers fully-adopt as possible. 
> > If a browser is comfortable doing most of the things, and there are 
> > only a few minor holdouts, there may be willingness to give way and 
> > conform
>
> > on those minor holdout areas, for the sake of being able to claim 
> > conformance. If there is something in the spec that is just not 
> > going to happen, for whatever reason, and a decision is made not to 
> > conform,
>
> > then it makes it much easier to ignore all the other little things 
> > in the spec as well. Use whatever analogy you want (cracks in glass,

> > faults, whatever), I just feel that if there is one thing that is 
> > going to cause non-conformance, it will likely spread and cause even
> more non-conformance.
> > >
> > > As for "people won't like it" - this worries me a lot, perhaps 
> > > even more
> > than "it won't work". If something drives users away to a less 
> > secure UA, that is like the worst of both worlds. It results in 
> > users being less protected, and if someone says "Adopting WSC-XIT 
> > caused a decline
>
> > in market share of X in our product" then that certainly doesn't 
> > speak
>
> > well for others deciding to adopt the rec, and also makes us look 
> > like
>
> > we're out in la-la land.
> > >
> > > If we are told / believe that a part of the recommendation is not 
> > > likely
> > to be implemented, then we need to have a really serious discussion 
> > about whether that part should stay in, and what the likely affect 
> > on adoption of the overall proposal is.
> > >
> > >
> > > On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com>
wrote:
> > >
> > > >
> > > >
> > > > Hi Johnathan,
> > > >
> > > > No slight intended.  But just as a matter of principle I don't 
> > > > believe
> > "browser manufacturer adoption likelihood" should be a litmus test 
> > for
>
> > W3C recommendations (either browser manufacturers who participate in

> > WSC or others).  Criteria 2 should therefore be reworded or 
> > withdrawn
> imho.
> > > >
> > > > I recognize a distinction between "it won't work" versus "people

> > > > won't
> > like it".  I would certainly agree nothing in the former category 
> > should make it into wsc-xit.  The latter category is the one I worry

> > about.  There are certain browser manufacturers (present company
> > excluded) where it seems convenience, performance, or time-to-market

> > frequently trumps security considerations.  Even at a place like 
> > Mozilla where you don't have shareholders to answer to, I would 
> > imagine security versus convenience/speed trade-offs are difficult 
> > for
>
> > you as they are for the rest of us.  Rather than view WSC as 
> > "calling browsers to heel", I view it as extra ammunition for the 
> > pro-security
> faction to use in those internal debates.
> > > >
> > > > Cheers Mike
> > > >
> > > > ________________________________
> >  From: public-wsc-wg-request@w3.org
> > [mailto:public-wsc-wg-request@w3.org ] On Behalf Of Johnathan 
> > Nightingale
> > > > Sent: Wednesday, November 14, 2007 5:03 PM
> > > > To: W3C WSC Public
> > > >
> > > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty 
> > > > Recommendations
>
> > > > [All]
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com>
> > <michael.mccormick@wellsfargo.com > wrote:
> > > > Criteria 2, at least as phrased below, concerns me.  I don't 
> > > > feel WSC
> > should be constrained from making a recommendation just because a 
> > particular community may resist adopting it.  Our guidance on 
> > favicons
>
> > is a case in point.  I'm skeptical browsers will adopt that 
> > recommendation any time soon but it's still the right thing to do.  
> > If
>
> > browser manufacturers could always be counted on to do the right 
> > things for security on their own, then initiatives like WSC would be

> > less necessary.  Criteria 2 could also reinforce a perception among 
> > some skeptics that W3C is beholden to certain web technology vendors

> > and gives their needs priority over those of other industries or the
> broader user community.
> > > >
> > > > Parenthetical: I'm not sure if there's an implied slight in 
> > > > there or not
> > -- are we browser vendors assumed to be deliberately not doing the 
> > right things for security on our own?  Is there some other interest 
> > we
>
> > are supposed to be serving than the well-being of our users?  I 
> > can't speak for others, but I don't have any shareholders pulling my

> > strings
>
> > here.  The WSC has positive, constructive reasons for existing that 
> > don't trace themselves to "calling browsers to heel."
> > > >
> > > >
> > > >
> > > > I'm absolutely not sold on the idea that dropping favicons is 
> > > > the right
> > thing to do, but without meaning to diverge from issue-117, I would 
> > agree that we shouldn't elevate any members of the working group as 
> > being more influential than others.  I would also argue that 
> > recommendations for which we pat ourselves on the back, but which 
> > don't see any implementation anywhere, are mostly a waste of our 
> > time though.  Whether it's content authors, browser authors, crypto 
> > researchers, or some other group, I would hope that "this won't
work"
> > would be a topic of significant consideration and concern to our
> group.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > >
> > > > Johnathan
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ---
> > > > Johnathan Nightingale
> > > > Human Shield
> > > > johnath@mozilla.com
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Received on Tuesday, 20 November 2007 22:07:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT