W3C home > Mailing lists > Public > wai-xtech@w3.org > July 2007

Re: managing alternatives

From: Gez Lemon <gez.lemon@gmail.com>
Date: Tue, 17 Jul 2007 00:35:45 +0100
Message-ID: <e2a28a920707161635h42a571e7te3933ad0aef25825@mail.gmail.com>
To: "Al Gilman" <Alfred.S.Gilman@ieee.org>
Cc: wai-xtech@w3.org

Hi Al,

Regarding providing CAPTCHA through content negotiation:

On 16/07/07, Al Gilman <Alfred.S.Gilman@ieee.org> wrote:

<quote>
This would take some exploration.  You don't really want to shut down
the transmission of all images just so you get the CAPTCHA with an
audio prompt.

For one thing, you don't want the right answer to the visual and
audio challenges to be the same string,  for  security reasons.  It
just makes the attacker's job too easy.  So it's not a simple <object>
substitution.  You have to put an opaque key in the form reply that tells
the server what right answer to look for.
</quote>

Forgive me if I'm being naive, stupid, or both, but I didn't think
that a visual, audio, or any other type of challenge would require the
same answer - I assumed that the challenge would be presented in
exactly the same way that an alternative challenge would be presented
if someone opts for a different challenge in the CAPTCHA systems
available on the web right now. The key that identifies a challenge
would be unique to the challenge; not the type of challenge being
presented.

Al said:

<quote>
My rough take on this is that content negotiation is an idea the
market has rejected and it won't be back. Not until the mobile
version with more subtle user preferences in CC/PP is up and running.
The pieces of this technology are mostly in place.
</quote>

I would bow to your superior knowledge in this area, but that is not
my take on the situation. My take is that content negotiation is an
area that's only just beginning to gain popularity; particularly in
the internationalisation community, where user-agents provide features
that afford content negotiation based on the user's preferred
language. Google have been doing this for years, with more and more
sites beginning to follow suit. I am not aware of other areas where
content negotiation is gaining popularity, so accept that you might be
correct in your assertion, but thought that CAPTCHAs might be a good
example where user preferences provided at the HTTP level might be
helpful.

Al said:

<quote>
So it's not actually available to users enough to meet the WCAG sense
of 'widely supported' in their discussion of accessibility-supported
technologies
</quote>

WCAG isn't so much concerned with how the user arrives at the content,
but that the content the user receives is accessible according to WCAG
2.0. If the original version the user receives is accessible, then
there isn't an issue. If the original version isn't accessible, then
there just needs to be a mechanism to obtain an accessible version,
which is what we were talking about at the start of this topic -
providing ways of ensuring that users can receive content to their
preferences, although I would always expect the primary content to be
accessible. With regards to CAPTCHA, I can't help thinking that
content negotiation is an excellent way of ensuring that users receive
challenged in their preferred format, regardless of what the market
response has been to date - providing content negotiation for CAPTCHA
is supported by user agents (a big if for the future), and users take
the time to set up their preferences (user responsibility). It would
at least provide the content in the most appropriate format according
to the user's preferences, and the author would still be responsible
for ensuring the user had a chance to change that option.

<quote>
My current expectation is that we should be looking for something
that is written out in a  scripted web page so as to work  in current
browsers as the near-term existence proof of feasible and sufficient
techniques.
</quote>

That would be the case, as the author should still provide a mechanism
for the user to change the type of challenge - in the same way that a
French version of a web page might be delivered to a user agent that
was set up with an accept-language header that indicated a preference
for French, but the author still offered various translations of the
page. The important point is that the user originally receives
something that most suited to their needs.


Gez


-- 
_____________________________
Supplement your vitamins
http://juicystudio.com
Received on Monday, 16 July 2007 23:35:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 13:15:43 GMT