Re: Comments on BP2

On Thu, Mar 13, 2008 at 4:48 PM, Sullivan, Bryan <> wrote:
>  We need to be careful not to follow too strict a "mobile-specific" focus
>  or we will end up saying very little indeed. Certainly the Mobile Web
>  shares technology and service paradigms with the Wired Web. But to say
>  that anything which has any significance whatsoever in the Wired Web
>  case is thus out of scope for the MWI, is not helpful.

Good thing that is not what I said. Rather, I say that things which
have a particular significance to the mobile web are in scope, and
those only. Otherwise, what does "Mobile" in MWI mean? We could write
about any old web-related ideas then. We absolutely do have a
mobile-specific focus. I think we agree in principle because you say:

>  I included various topics of interest to the broader web specifically
>  because the nature of the Mobile Web raises their importance to be
>  addressed as best practices, either because they are more important
>  fundamentally in the Mobile Web case, or the techniques which support
>  them are more problematic in the Mobile Web case. Personalization as an
>  objective of increasing service value is one such aspect. These are

Yes, existing issues with renewed or different concerns in mobile are
in scope. "Keeping personal info private" does not strike me as one of
these, but I should explain below...

>  thus more difficult to address in the mobile environment. Automatic
>  personalization, and easy-to-use methods for input of personalizing
>  information when necessary, make this a realizable goal for mobile
>  services.

I don't think I objected to the idea of personalization on mobile... ?

>  methods which can be used and supplement HTTPS for critical
>  personalization phases, e.g. as I have mentioned in the best practices.
>  Many developers simply will not be aware that there may be concerns
>  about personal information trust/security, and further have any clue how
>  to do it other than use HTTPS, which will work fine as I have said for
>  the Wired Web, but not as a general approach for the Mobile Web. Thus
>  there is a higher need for something (personalization), and a less
>  robust environment to provide it. These combine to an issue which is
>  valuable to address as a best practice.

If you mean that it's OK to exchange credentials over HTTPS and then
exchange a session token of some kind from there over HTTP, I don't
agree. That token is a key to a session, and untold other personal
information, and must be kept secure. Otherwise why would we have
HTTPS at all? my 128-bit session cookie's ID would be enough after
login. If the original exchange was important enough to warrant HTTPS,
HTTPS is warranted when exchanging its equivalents. I think suggesting
developers concoct an alternative that they think is secure enough is
asking for trouble.

If the rest of the BP is saying, don't use HTTPS without need, then I
agree. That's a good example -- a zip code is possibly not sensitive
per se.

I suppose my complete thought, which was not expressed, is that I
don't agree with the parts written that suggest using anything but
HTTPS where security is legitimately needed. Then what's left is just
what anyone would recommend for the web.

>  Re 5.3.2, many web applications will use device storage outside the
>  browser cache, and the market is "gearing" up for this. We need to
>  recognize this and prepare best practices that set expectations on the
>  impact to limited device resources.

OK, maybe so, if the web browser truly becomes an application platform
with access to local storage. Then I'd say this isn't even practice
yet, let alone best practice. It may seem I am being picky, but, again
I feel strongly that this document is about codifying current best
practice. It's what people turn to to catch up on what they should do

We can write that applications should warn about how much storage they
use, but, right now I don't know that AJAX apps can even access the
browser cache or local filesystem to even know that (I could stand to
be corrected)? How would anyone do this today?

>  Re 5.4.2, BP1 said simply "don't do it" re Redirect. What I'm saying is
>  that there needs to be *realistic* guidelines on what should be the
>  typical use of redirect in the cases I have mentioned, which are
>  typical. BP1 did not adequately address this, as I pointed out in the
>  Nov 07 F2F.

BP1 didn't quite say this. It said don't use <meta> and limit to one
redirect if you can. I suppose you're saying two here. If that's the
difference, if that's deemed important... OK. I suppose I find it
virtually the same.

>  Re 5.9.4 Provide Alternatives to AJAX, this specifically is assuming
>  that not *all* devices will support AJAX, which is reasonable. The point
>  is that AJAX/scripted applications need to be provided in alternate
>  forms to work on such devices. Perhaps obvious, but then we are SME's
>  and this is not written for us.

But then nothing is said about what that means, so what is the purpose
of writing this? "How to do it" is to "build something else for these
devices?" I think this BP is present to pretend we're not limiting
ourselves to AJAX-capable devices, when we are, and that's fine.

I can only say I recommend against writing a document like this. I
think it is missing some useful, concrete recommendations based on
current best practice, and veering out of scope. I would not support
something like this being published, but if I am in the minority
that's OK.

Received on Thursday, 13 March 2008 21:38:37 UTC