Re: CT Guidelines 1t from Eduardo Casais on 2009-09-21 (public-bpwg@w3.org from September 2009)

From: Eduardo Casais <casays@yahoo.com>
Date: Mon, 21 Sep 2009 13:28:40 -0700 (PDT)
To: public-bpwg@w3.org
Message-ID: <248204.96395.qm@web45012.mail.sp1.yahoo.com>

After a first scan of version 1t of the CTG, I have noticed two issues that seem to
have been handled not quite according to past decisions.


ACTION-988

My original proposal was to include the following sentence in 4.1.5.3:

-----
Proxies must assume that by default users wish to receive a representation 
prepared by the Web site.
-----

Currently, 4.1.5.3 instead reads:

-----
Proxies should assume that by default users will wish to receive a 
representation prepared by the Web site.
-----

In my original proposal, I was clear that if 4.1.5.3 read "proxies should", then an
additional safeguard is needed in 4.2.2 as follows:

-----
If the default proxy behaviour, in the absence of any explicit user preference, is
to transform content, then the user must have an additional option to specify a
blanket inhibition of content transformation for all sites.
-----

The reason being that, with the other provisions in the document, the only possibility
to avoid restructuring is on a tedious Web site by Web site basis.

My preference goes to the first approach (Proxies must), which means that CTG-proxies
only transform when asked for. If the default behaviour is opt-out of transformations,
then a strong, general opt-out option is needed, so that the behaviour "do not 
transform representations prepared by the web site without asking the explicit 
specific consent of users if they by default want the unadulterated experience" 
is enforced.



ACTION-989

The text in 4.2.9

-----
the response contains a resource that is referenced as an included resource suitable
for "handheld" in a resource that was itself handled transparently;
-----

is to be moved to the mandatory list of bullet points.




H.1.2 Use of HTTP 403 Status

Let me throw in a disambiguation change, free of charge

Replace:
-----
Servers should consider using an HTTP 403 Status if it is concerned that the security
of a link that it assumed to be private has been compromised (for example as a result
of the presence of a Via HTTP header in an HTTPS request).
-----
with
-----
Servers should consider using an HTTP 403 Status if concerned that the security
of a link assumed to be private has been compromised (for example, the lack of 
privacy may be inferred from the presence of a Via HTTP header field in an HTTPS 
request).
-----
Since the original text can be interpreted in such a way as stating that a Via
HTTP header field is by itself a source of insecurity.



E.Casais

Received on Monday, 21 September 2009 20:29:21 UTC