Re: [public-bpwg-comments] <none> ( LC-2014 LC-2015)

Hi Sean,

The Last Call review period for the Guidelines for Web Content 
Transformation Proxies is over and we have not yet heard from you. We 
were wondering whether you had time to review the response to your 
comments below and the updated document, and whether you could let us 
know if you agree with it or not via email.

The header of the previous email was generated from a template that did 
not give us the opportunity to apologize for the time it took us to get 
back to you. Comments received during the first Last Call review period 
generated a lot of discussions within the group. Resolutions of the 
issues took more time than expected. But I guess you already experienced 
that in the past ;) The group thinks the document has quite improved as 
a consequence, apologizes for the delay and would like to thank you 
again for your contribution!

Thanks,

For the Mobile Web Best Practices Working Group,
Francois Daoust,
W3C Staff Contact.


fd@w3.org wrote:
>  Dear Sean Owen ,
> 
> The Mobile Web Best Practices Working Group has reviewed the comments you
> sent [1] on the Last Call Working Draft [2] of the Content Transformation
> Guidelines 1.0 published on 1 Aug 2008. Thank you for having taken the time
> to review the document and to send us comments!
> 
> The Working Group's response to your comment is included below, and has
> been implemented in the new version of the document available at:
> http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/.
> 
> Please review it carefully and let us know by email at
> public-bpwg-comments@w3.org if you agree with it or not before 6 November
> 2009. In case of disagreement, you are requested to provide a specific
> solution for or a path to a consensus with the Working Group. If such a
> consensus cannot be achieved, you will be given the opportunity to raise a
> formal objection which will then be reviewed by the Director during the
> transition of this document to the next stage in the W3C Recommendation
> Track.
> 
> Thanks,
> 
> For the Mobile Web Best Practices Working Group,
> Dominique Hazaël-Massieux
> François Daoust
> W3C Staff Contacts
> 
>  1.
> http://www.w3.org/mid/e920a71c0808040905kf14b7d7t93a5516c35553582@mail.gmail.com
>  2. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/
> 
> 
> =====
> 
> Your comment on 4.1.5.5 Original Headers:
>> 4.1.5.5 Since User-Agent has been the topic of some controversy in
>> comments, just wanted to voice support for the recommendation as
>> written here. While it is vital to preserve information about the
>> mobile device, this does not imply that User-Agent cannot be changed
>> if that information is otherwise preserved. Preserving the User-Agent
>> through a transforming proxy is misleading; the request is *not*
>> coming from a mobile device, but through a proxy. The origin server
>> should be aware of this.
> 
> 
> Working Group Resolution (LC-2014):
> Thanks. The group notes that he does not view the combination of a User
> Agent and a content transformation proxy as a new User Agent when the
> client software is not inherently linked to the network component. When it
> is, the communication between the client and the network is out of scope of
> this document, as explained in:
> http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/Overview.html#sec-applicability
> 
> 
> 
> ----
> 
> Your comment on 4.3.6.2 HTTPS Link Re-writing:
>> 4.3.6.2 I think the Note here is a good one, but may be worth
>> expanding, since it is apparently already unclear to some how HTTPS
>> works here. The very purpose of HTTPS is to ensure that content is not
>> modified or read by third parties in transit, which means a
>> transforming proxy cannot jump into an HTTPS conversation between
>> mobile device and origin server. So there's not actually a question of
>> whether it's illegal or unethical -- it's simply not possible (unless
>> you have cracked SSL). It can only create a secure connection between
>> the mobile device and itself, and between itself and the origin
>> server. This is indeed a situation that the end user needs to
>> understand:
>>
>> I suggest wording along these lines, take it or leave it as you see fit
>> --
>>
>> URIs which begin with the https scheme, when accessed, are secured
>> against eavesdropping and modification by third parties by the SSL
>> protocol. It is therefore not possible for a third-party transforming
>> proxy to participate directly in such a connection between mobile
>> device and origin server. Transforming proxies may still transform
>> content of https resources, but at best, it involves creating a
>> separate secure connection between device and proxy, and between proxy
>> and origin server. These communications are secure but the secured
>> content is of course visible to the transforming proxy. This may of
>> course be undesirable to an end user.
>>
>> Therefore if a proxy rewrites https links, replacements links MUST at
>> least use the https scheme as well, and the proxy MUST use https to
>> communicate with the origin server. In addition the proxy MUST clearly
>> advise the user that the potentially sensitive contents of the
>> communication will be visible to the proxy, and must give the user an
>> option to opt out.
> 
> 
> Working Group Resolution (LC-2015):
> We agree and have added text to this section that goes some way to
> addressing your concern.
> 
> ----
> 
> 
> 
> 

Received on Monday, 16 November 2009 12:57:49 UTC