Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions from Rich Schwerdtfeger on 2016-04-01 (public-aria-admin@w3.org from April 2016)

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Fri, 1 Apr 2016 18:19:22 -0500
To: Chaals McCathie Nevile <chaals@yandex-team.ru>
Cc: James Teh <jamie@nvaccess.org>, John Foliot <john.foliot@deque.com>, Joseph Scheuhammer <clown@alum.mit.edu>, Cynthia Shelly <cyns@microsoft.com>, Matt King <a11ythinker@gmail.com>, Léonie Watson <tink@tink.uk>, ARIA Working Group <public-aria-admin@w3.org>, David Bolter <dbolter@mozilla.com>, Dominic Mazzoni <dmazzoni@google.com>, James Craig <jcraig@apple.com>
Message-Id: <E870CF08-48CF-4420-9E4C-A41578B388D1@gmail.com>

The security hole already exists whether we apply the role or not. Yes it is a big concern. 

Rich Schwerdtfeger




> On Apr 1, 2016, at 6:12 PM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
> 
> On Fri, 01 Apr 2016 23:55:22 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote:
> 
>> Hi James,
>> 
>> Good to hear from you again.
>> 
>> 1. Backward compatibility
>> 
>> I understand. Is there a way for you to patch other versions?
> 
> This is IMHO a really big concern. Given a broad deployment of stuff that can't obviously be updated, any security solution should not leave people unsecured just because they didn't upgrade. So a solution should be designed so it doesn't get applied in an insecure context, like an old AT missing the patching we hope will one day make this issue irrelevant.
> 
> cheers
> 
> Chaals
> 
> -- 
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Friday, 1 April 2016 23:19:50 UTC