W3C home > Mailing lists > Public > w3c-wai-ua@w3.org > July to September 2008

Extended Validation SSL indication

From: Jim Allan <jimallan@tsbvi.edu>
Date: Tue, 19 Aug 2008 17:20:47 -0500
To: <w3c-wai-ua@w3.org>
Message-ID: <016201c90249$d45c59a0$7d150ce0$@edu>

Just read an interesting article " Earn Trust With Extended Validation SSL"
from
http://www.thestylesheet.com/featured-articles/2008/08/earn-trust-with-exten
ded-validation-ssl/ 

The article was related to security but mentioned the browsers address bar
turning green and other indicators to tell the user about the valid
certificate. My accessibility alarm bells gave a ring.

So I tested with Jaws in IE7 and FF3. Went to http://www.papercheck.com/ as
a test. The address bar does indeed turn green when you activate a
'purchase' link. 
In IE7 valid certificate information also appears to the right of  the
address field. You are able to tab to this information, space bar opens it,
and with some routing of Jaws to PC cursor, you can read what is there. But
I was not able to activate any of the links (or tab to them) in the valid
certificate information. Mouse was the only interaction possible.

In FF3 valid certificate information also appears in the address field to
the left of the actual address. You are able to tab to this information,
space bar opens it, and JAWS reads the information. Then you can tab to
actionable items, open them, and interact will all of the information in the
new windows. 

The concern is that there is no notification to the user indicating that new
information appeared in the UA user interface other than the color change
and new text appears in or near the address bar. The UA generates these
items from meta tags in the head of the page. 
<link rel="meta" href="https://www.papercheck.com/labels.xml"
type="application/rdf+xml" title="ICRA labels">
<meta http-equiv="pics-Label" content='(pics-1.1
"https://www.icra.org/pics/vocabularyv03/" l gen true for
"https://www.papercheck.com/"  ...>

Security information is critical to all users. The UA should alert the user
when this 'pop-on' security information is available. This is different from
being altered that you are going to a secure website. UAs already have that
functionality. It should be documented. The resulting
information/interaction should be keyboard accessible and available
programmatically. 

I did a quick review of UAAG20 but did not find anything specific.  This
needs further discussion, but after we have keyboarding completed. 

Thoughts? Other issues related to information appearing in the address bar
or elsewhere in the UA interface?

Jim Allan, Accessibility Coordinator & Webmaster
Texas School for the Blind and Visually Impaired
1100 W. 45th St., Austin, Texas 78756
voice 512.206.9315    fax: 512.206.9264  http://www.tsbvi.edu/
"We shape our tools and thereafter our tools shape us." McLuhan, 1964
Received on Tuesday, 19 August 2008 22:26:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 06:52:01 GMT