Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions from Chaals McCathie Nevile on 2016-04-03 (public-aria-admin@w3.org from April 2016)

From: Chaals McCathie Nevile <chaals@yandex-team.ru>
Date: Sun, 03 Apr 2016 03:39:39 +0200
To: "Rich Schwerdtfeger" <richschwer@gmail.com>
Cc: "James Teh" <jamie@nvaccess.org>, "John Foliot" <john.foliot@deque.com>, "Joseph Scheuhammer" <clown@alum.mit.edu>, "Cynthia Shelly" <cyns@microsoft.com>, "Matt King" <a11ythinker@gmail.com>, Léonie Watson <tink@tink.uk>, "ARIA Working Group" <public-aria-admin@w3.org>, "David Bolter" <dbolter@mozilla.com>, "Dominic Mazzoni" <dmazzoni@google.com>, "James Craig" <jcraig@apple.com>
Message-ID: <op.yfblkdvis7agh9@widsith.local>

On Sat, 02 Apr 2016 13:22:13 +0200, Rich Schwerdtfeger  
<richschwer@gmail.com> wrote:

> No. We spoke to Microsoft browser people. They did not believe we made  
> the problem worse.
>
> Our solution thus far actually narrows it for screen reader users.

I think there are further issues. With a real HTML password input,  
browsers have specific behaviour, like blocking copy, offering to add the  
password to a password manager instead of recording it for future  
autocomplete, and the like.

The solution of echoing characters is better than nothing, but for users  
who frequently type a given password, it seems quite likely that they will  
be at least halfway through before they realise that they have exposed it  
and stop.

The current approach seems to have the long-term problem that it blurs the  
difference between a real password field and something that seems like one  
to the point where users are no longer able to make a decision for  
themselves based on knowledge of what they are actually doing.

I'd like to understand the use cases that make people think it is  
worthwhile providing a custom password field.

I can imagine streamlining the process of using an alternative  
authentication scheme, but I am not sure that the benefit here is  
worthwhile. There is also making the password field fit the local style,  
which is a definite benefit e.g. for reducing cognitive load, but I'm not  
convinced it is worth the cost in security - in particular because I fail  
to see how an ARIA role would help much in that use case.

> I asked Cynthia to reach out to Microsoft as I felt their browser team  
> would be more experienced in dealing with browser security issues than  
> an interest group. That said, who do you recommend I ask in the security  
> ig? Are they active?

THe IG has the official role of doing review in much the same way APA does  
for accessibility. The idea is that it has access to a broader range of  
experts than any one product team since for starters it has participants  
in multiple product teams. At the same time, as you know, that doesn't  
actually guarantee a particular question gets all those people engaged,  
but I think it is worth at least asking.

You should ask Virginie Galindo, the chair of the group, or send a direct  
request to the group yourself - or I can do so if you like.

Their activity level rises and falls :S like many review groups.

cheers

Chaals

> Rich
>
> Sent from my iPad
>
>> On Apr 1, 2016, at 7:18 PM, Chaals McCathie Nevile  
>> <chaals@yandex-team.ru> wrote:
>>
>>> On Sat, 02 Apr 2016 01:19:22 +0200, Rich Schwerdtfeger  
>>> <richschwer@gmail.com> wrote:
>>>
>>> The security hole already exists whether we apply the role or not. Yes  
>>> it is a big concern.
>>
>> Sure. A concern I have is that if we accept that browsers won't do  
>> anything here, then by effectively just hoping authors do the right  
>> thing, we're actively expanding the security hole.
>>
>> I'm wondering if there is a design that doesn't do that. Also, did  
>> anyone ask the security IG (who do security review like APA does  
>> accessibility review) to take a look at this?
>>
>> cheers
>>
>>> Rich Schwerdtfeger
>>>
>>>
>>>
>>>
>>>> On Apr 1, 2016, at 6:12 PM, Chaals McCathie Nevile  
>>>> <chaals@yandex-team.ru> wrote:
>>>>
>>>> On Fri, 01 Apr 2016 23:55:22 +0200, Rich Schwerdtfeger  
>>>> <richschwer@gmail.com> wrote:
>>>>
>>>>> Hi James,
>>>>>
>>>>> Good to hear from you again.
>>>>>
>>>>> 1. Backward compatibility
>>>>>
>>>>> I understand. Is there a way for you to patch other versions?
>>>>
>>>> This is IMHO a really big concern. Given a broad deployment of stuff  
>>>> that can't obviously be updated, any security solution should not  
>>>> leave people unsecured just because they didn't upgrade. So a  
>>>> solution should be designed so it doesn't get applied in an insecure  
>>>> context, like an old AT missing the patching we hope will one day  
>>>> make this issue irrelevant.
>>>>
>>>> cheers
>>>>
>>>> Chaals
>>>>
>>>> --
>>>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>>>> chaals@yandex-team.ru - - - Find more at http://yandex.com
>>>
>>
>>
>> --
>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>> chaals@yandex-team.ru - - - Find more at http://yandex.com

-- 
Charles McCathie Nevile - web standards - CTO Office, Yandex
  chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Sunday, 3 April 2016 01:40:53 UTC