Re: [public-bpwg-comments] <none> ( LC-2014 LC-2015)

 Dear Sean Owen ,

The Mobile Web Best Practices Working Group has reviewed the comments you
sent [1] on the Last Call Working Draft [2] of the Content Transformation
Guidelines 1.0 published on 1 Aug 2008. Thank you for having taken the time
to review the document and to send us comments!

The Working Group's response to your comment is included below, and has
been implemented in the new version of the document available at:
http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/.

Please review it carefully and let us know by email at
public-bpwg-comments@w3.org if you agree with it or not before 6 November
2009. In case of disagreement, you are requested to provide a specific
solution for or a path to a consensus with the Working Group. If such a
consensus cannot be achieved, you will be given the opportunity to raise a
formal objection which will then be reviewed by the Director during the
transition of this document to the next stage in the W3C Recommendation
Track.

Thanks,

For the Mobile Web Best Practices Working Group,
Dominique Hazaël-Massieux
François Daoust
W3C Staff Contacts

 1.
http://www.w3.org/mid/e920a71c0808040905kf14b7d7t93a5516c35553582@mail.gmail.com
 2. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/


=====

Your comment on 4.1.5.5 Original Headers:
> 4.1.5.5 Since User-Agent has been the topic of some controversy in
> comments, just wanted to voice support for the recommendation as
> written here. While it is vital to preserve information about the
> mobile device, this does not imply that User-Agent cannot be changed
> if that information is otherwise preserved. Preserving the User-Agent
> through a transforming proxy is misleading; the request is *not*
> coming from a mobile device, but through a proxy. The origin server
> should be aware of this.


Working Group Resolution (LC-2014):
Thanks. The group notes that he does not view the combination of a User
Agent and a content transformation proxy as a new User Agent when the
client software is not inherently linked to the network component. When it
is, the communication between the client and the network is out of scope of
this document, as explained in:
http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/Overview.html#sec-applicability



----

Your comment on 4.3.6.2 HTTPS Link Re-writing:
> 4.3.6.2 I think the Note here is a good one, but may be worth
> expanding, since it is apparently already unclear to some how HTTPS
> works here. The very purpose of HTTPS is to ensure that content is not
> modified or read by third parties in transit, which means a
> transforming proxy cannot jump into an HTTPS conversation between
> mobile device and origin server. So there's not actually a question of
> whether it's illegal or unethical -- it's simply not possible (unless
> you have cracked SSL). It can only create a secure connection between
> the mobile device and itself, and between itself and the origin
> server. This is indeed a situation that the end user needs to
> understand:
> 
> I suggest wording along these lines, take it or leave it as you see fit
> --
> 
> URIs which begin with the https scheme, when accessed, are secured
> against eavesdropping and modification by third parties by the SSL
> protocol. It is therefore not possible for a third-party transforming
> proxy to participate directly in such a connection between mobile
> device and origin server. Transforming proxies may still transform
> content of https resources, but at best, it involves creating a
> separate secure connection between device and proxy, and between proxy
> and origin server. These communications are secure but the secured
> content is of course visible to the transforming proxy. This may of
> course be undesirable to an end user.
> 
> Therefore if a proxy rewrites https links, replacements links MUST at
> least use the https scheme as well, and the proxy MUST use https to
> communicate with the origin server. In addition the proxy MUST clearly
> advise the user that the potentially sensitive contents of the
> communication will be visible to the proxy, and must give the user an
> option to opt out.


Working Group Resolution (LC-2015):
We agree and have added text to this section that goes some way to
addressing your concern.

----

Received on Tuesday, 6 October 2009 15:50:07 UTC