- From: Michiel Bijl <michiel@agosto.nl>
- Date: Fri, 17 Jun 2016 12:43:49 +0200
- To: ARIA Working Group <public-aria@w3.org>
- Message-Id: <E62BB6E9-B612-4633-AD87-787B4A1B01BB@agosto.nl>
To clarify, this is not a formal objection, I’m not in any postion to do that. I do want to raise awareness for all the unanswered question regarding the password role. —Michiel > On 17 Jun 2016, at 12:10, Michiel Bijl <michiel@agosto.nl> wrote: > > All, > > A lot has been said about the password role. Security problems, lack of good use cases, and difficulties for users. Despite all that, it seems it will still get into the final specification. I would like to quote the ‘Priority of Constituencies <https://www.w3.org/TR/html-design-principles/#priority-of-constituencies>’ (thank you Jonathan Kingston for reminding me <https://jotter.jonathankingston.co.uk/blog/2016/05/16/role-password-is-not-wise/>): > >> In case of conflict, consider users over authors over implementors over specifiers over theoretical purity. > > How is adding a role—where one of the use cases is preventing the use of password managers—helping the users? How does that adhere to the priority of constituencies? > > To give some background to this e-mail, I’ve looked up some discussions on the list: > > James Craig opposing this on potential security implications <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0064.html> > Léonie Watson expressing concerns about character obfuscation <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0065.html> > Birkir Gunnarsson stating we are reinventing the wheel <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0066.html> (and suggesting we might be better of with an aria-secure attribute) > Brad Hill on security risks and website identify verification <https://lists.w3.org/Archives/Public/public-aria/2016May/0009.html> > Léonie Watson expressing concerns about AT’s announcing “custom password” <https://lists.w3.org/Archives/Public/public-aria/2016May/0001.html> > John Foliot expressing concerns in general about the password role <https://lists.w3.org/Archives/Public/public-aria/2016May/0004.html> > Me asking for an update on contact with the Security & Privacy IG (no reply) <https://github.com/w3c/aria/issues/166#issuecomment-176638972> > > Some more background links: > > Original post to list by Joanie <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0053.html> > Issue on W3C tracker <http://www.w3.org/WAI/ARIA/track/issues/1005> > Security check by Microsoft <http://www.w3.org/WAI/ARIA/track/actions/2020> (W3C tracker issue) > Jonathan Kingston’s excellent piece on the password role <https://jotter.jonathankingston.co.uk/blog/2016/05/16/role-password-is-not-wise/> > Marco Zehe agreeing with Jonathan’s article on Twitter <https://twitter.com/MarcoInEnglish/status/743680877444497408> > > > I’ve reread large parts of the threads, and don’t see any good reason to implement this. There don’t seem to be a lot of people in favour of this role. There are however a lot of people raising concerns. There hasn’t been a formal review by any of the security working groups as far as I can tell. > > So why is this role being pushed so hard despite all the concerns raised? > > —Michiel >
Received on Friday, 17 June 2016 10:44:20 UTC