Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions from Rich Schwerdtfeger on 2016-04-03 (public-aria-admin@w3.org from April 2016)

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Sun, 3 Apr 2016 06:41:23 -0500
To: Chaals McCathie Nevile <chaals@yandex-team.ru>
Cc: James Teh <jamie@nvaccess.org>, John Foliot <john.foliot@deque.com>, Joseph Scheuhammer <clown@alum.mit.edu>, Cynthia Shelly <cyns@microsoft.com>, Matt King <a11ythinker@gmail.com>, Léonie Watson <tink@tink.uk>, ARIA Working Group <public-aria-admin@w3.org>, David Bolter <dbolter@mozilla.com>, Dominic Mazzoni <dmazzoni@google.com>, James Craig <jcraig@apple.com>
Message-Id: <205A197E-9EDC-4C20-8399-88D408400146@gmail.com>

Thank you for your feedback. I will reach out to the IG and cc the ARIA WG list vs. this one. As you know it is also public.

Regarding authentication we agree passwords are long past their effectiveness. In my view, for cognitive and age related issues they are a non-starter. We need a new mechanism integrated into the web.

Rich

Sent from my iPad

> On Apr 2, 2016, at 8:39 PM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
> 
>> On Sat, 02 Apr 2016 13:22:13 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote:
>> 
>> No. We spoke to Microsoft browser people. They did not believe we made the problem worse.
>> 
>> Our solution thus far actually narrows it for screen reader users.
> 
> I think there are further issues. With a real HTML password input, browsers have specific behaviour, like blocking copy, offering to add the password to a password manager instead of recording it for future autocomplete, and the like.
> 
> The solution of echoing characters is better than nothing, but for users who frequently type a given password, it seems quite likely that they will be at least halfway through before they realise that they have exposed it and stop.
> 
> The current approach seems to have the long-term problem that it blurs the difference between a real password field and something that seems like one to the point where users are no longer able to make a decision for themselves based on knowledge of what they are actually doing.
> 
> I'd like to understand the use cases that make people think it is worthwhile providing a custom password field.
> 
> I can imagine streamlining the process of using an alternative authentication scheme, but I am not sure that the benefit here is worthwhile. There is also making the password field fit the local style, which is a definite benefit e.g. for reducing cognitive load, but I'm not convinced it is worth the cost in security - in particular because I fail to see how an ARIA role would help much in that use case.
> 
>> I asked Cynthia to reach out to Microsoft as I felt their browser team would be more experienced in dealing with browser security issues than an interest group. That said, who do you recommend I ask in the security ig? Are they active?
> 
> THe IG has the official role of doing review in much the same way APA does for accessibility. The idea is that it has access to a broader range of experts than any one product team since for starters it has participants in multiple product teams. At the same time, as you know, that doesn't actually guarantee a particular question gets all those people engaged, but I think it is worth at least asking.
> 
> You should ask Virginie Galindo, the chair of the group, or send a direct request to the group yourself - or I can do so if you like.
> 
> Their activity level rises and falls :S like many review groups.
> 
> cheers
> 
> Chaals
> 
>> Rich
>> 
>> Sent from my iPad
>> 
>>>> On Apr 1, 2016, at 7:18 PM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
>>>> 
>>>> On Sat, 02 Apr 2016 01:19:22 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote:
>>>> 
>>>> The security hole already exists whether we apply the role or not. Yes it is a big concern.
>>> 
>>> Sure. A concern I have is that if we accept that browsers won't do anything here, then by effectively just hoping authors do the right thing, we're actively expanding the security hole.
>>> 
>>> I'm wondering if there is a design that doesn't do that. Also, did anyone ask the security IG (who do security review like APA does accessibility review) to take a look at this?
>>> 
>>> cheers
>>> 
>>>> Rich Schwerdtfeger
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Apr 1, 2016, at 6:12 PM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
>>>>> 
>>>>> On Fri, 01 Apr 2016 23:55:22 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote:
>>>>> 
>>>>>> Hi James,
>>>>>> 
>>>>>> Good to hear from you again.
>>>>>> 
>>>>>> 1. Backward compatibility
>>>>>> 
>>>>>> I understand. Is there a way for you to patch other versions?
>>>>> 
>>>>> This is IMHO a really big concern. Given a broad deployment of stuff that can't obviously be updated, any security solution should not leave people unsecured just because they didn't upgrade. So a solution should be designed so it doesn't get applied in an insecure context, like an old AT missing the patching we hope will one day make this issue irrelevant.
>>>>> 
>>>>> cheers
>>>>> 
>>>>> Chaals
>>>>> 
>>>>> --
>>>>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>>>>> chaals@yandex-team.ru - - - Find more at http://yandex.com
>>> 
>>> 
>>> --
>>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>>> chaals@yandex-team.ru - - - Find more at http://yandex.com
> 
> 
> -- 
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Sunday, 3 April 2016 11:41:52 UTC