Re: Re: Comments on Content Transformation Guidelines? ( LC-2016) from fd@w3.org on 2009-10-06 (public-bpwg-comments@w3.org from October to December 2009)

From: <fd@w3.org>
Date: Tue, 06 Oct 2009 15:34:18 +0000
To: Luca Passani <passani@eunet.no>
Cc: public-bpwg-comments@w3.org
Message-Id: <E1MvC3O-00033U-P7@wiggum.w3.org>

 Dear Luca Passani ,

The Mobile Web Best Practices Working Group has reviewed the comments you
sent [1] on the Last Call Working Draft [2] of the Content Transformation
Guidelines 1.0 published on 1 Aug 2008. Thank you for having taken the time
to review the document and to send us comments!

The Working Group's response to your comment is included below, and has
been implemented in the new version of the document available at:
http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/.

Please review it carefully and let us know by email at
public-bpwg-comments@w3.org if you agree with it or not before 6 November
2009. In case of disagreement, you are requested to provide a specific
solution for or a path to a consensus with the Working Group. If such a
consensus cannot be achieved, you will be given the opportunity to raise a
formal objection which will then be reviewed by the Director during the
transition of this document to the next stage in the W3C Recommendation
Track.

Thanks,

For the Mobile Web Best Practices Working Group,
Dominique Hazaël-Massieux
François Daoust
W3C Staff Contacts

 1. http://www.w3.org/mid/48976F46.6010801@eunet.no
 2. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/


=====

Your comment on 4.3.6.2 HTTPS Link Re-writing:
> Having look at the conversation you are having here, I think there are 
> conflicting information about how HTTPS is handled by transcoding 
> servers. I understand that not all transcoders work the same, but some
> 
> do perform a man-in-the-middle-attack, and IMO this should not be 
> endorsed by the W3C guidelines.
> 
> The way many transcoders work is that they run instances of real web 
> browsers (talking about tens or hundreds of Internet Explorer instances
> 
> running in the memory of the server here). This means that there is no
> 
> way for content owners to protect against transcoders simply because
> the 
> server is talking to a legitimate web browser, exchanging real 
> certificates, logging-in with real passwords, establishing secure SSL 
> connetions and all the rest.
> 
> The point of the Content Transformation Guidelines seems to be "some
> users may want to continue using the service at the cost of degrading 
> security". Well, this is not up to the user to decide, I am afraid. 
> HTTPS is also about non-repudiation and the fact that users must not be
> able to say "I did not do it" at a later stage. The fact that 
> transcoders have found a technical way to by-pass HTTPS security does
> not mean that they have the right to do it. Nor does it mean that 
> end-users can take advantage of it.
> 
> Luca


Working Group Resolution (LC-2016):
We agree and have added text to this section that goes some way to
addressing your concern.

----

Received on Tuesday, 6 October 2009 15:34:25 UTC