- From: Ivan Herman <ivan@w3.org>
- Date: Thu, 12 May 2022 14:12:46 +0200
- To: Nick Doty <ndoty@cdt.org>
- Cc: Matt Garrish <matt.garrish@gmail.com>, W3C EPUB 3 Working Group <public-epub-wg@w3.org>, public-privacy@w3.org
- Message-Id: <FE600D1A-4390-41BB-AB59-08425583E606@w3.org>
On the issue of the normative statements vs. the current status as well as what we can control: I wonder whether the following compromise approach is acceptable: - the relevant sections are NOT marked as informative - we only use SHOULD statements and no MUST statements for what we choose to emphasize in those sections This approach would give, hopefully, a significantly more weight to our statements than they have today and, for the cases where this is feasible, we can also create tests and add it to our test suite (it already includes tests for SHOULD statements, ie, it is well prepared for that). On the other hand, we avoid the sticky question on what should we do if we declare a feature a MUST but we cannot fulfill the exit criteria (per the usual approach those features should be removed from the spec or marked as explicitly under-implemented per our own agreement, neither of the two sound like a good idea). Nick, what do you think? Ivan > On 11 May 2022, at 02:04, Nick Doty <ndoty@cdt.org> wrote: > > On Wed, May 4, 2022 at 5:52 PM Matt Garrish <matt.garrish@gmail.com <mailto:matt.garrish@gmail.com>> wrote: > Hi Nick, > > > > > These sections are marked as non-normative, but then include lots of normative language. I understand from the conformance sections that you don't intend that text to have the meaning of RFC 2119. However, I am concerned by this as a confusing trend > > > > Right, W3C has adopted RFC 8174. I can kind of appreciate why, given the contortions mocked by RFC 6919 <https://datatracker.ietf.org/doc/rfc6919/>. š > > > Yes, that is also part of my concern here. Whether the words are in all caps or not, it does seem like we're often saying, you really shouldn't do this, but we know you will anyway. Moreso, I'm concerned that it could also be interpreted as: we'll make no attempt to fix it and you won't even have to pretend or assert that you aren't doing the wrong thing. > > More seriously, weāve tended not to enforce requirements that canāt be tested and/or are going to be implementation specific. Just as an example, an EPUB publication canāt enforce that a publisher obtain consent to collect data prior to a user opening it. We know you should do it, but when weāve made these sorts of statements normative in the past theyāve been called āaspirationalā. Similarly, a reading system should allow users to control any information collected, but thereās no single solution to the problem. > > > > I donāt personally have an issue with these being stated in normative terms, but I donāt have enough experience with W3C standardization process to know if theyād raise flags as being underspecified if we did. > > > I think non-normative language can still be valuable: in particular, we can try to be clear about who has the responsibility to do what to protect the user, even if we can't currently specify it in a normative and interoperable way. And it can be a useful marker for future work, to be clear that these privacy issues haven't yet been directly resolved yet, but there are expectations for how they're used and there may be changes in the future to limit their invasiveness or insecurity. > > There may also be cases where requirements are testable and could be made normative, even if they haven't typically been easily included in automated test suites. > > > The rs and a11y specs note cases where certain behavior might violate privacy laws ā¦ I don't think that should be the motivation for protecting user privacy > > > > Right, itās not even necessary in the accessibility spec to cite privacy laws as itās not adding anything. Iāll have to go back and see what the RS spec says. > > > > > External resources should be loaded securely, for example over HTTPS. > > > > This sounds like a useful restriction. > > > > Apologies for being selective and brief in my comments, as Iām on the road right now. It would probably help to get your concerns into the github tracker rather than discuss over email. Iāll try and do that when I have a minute. > > > I've opened #2263, #2265, #2266 for the security issues. #2264 for the mostly editorial issue on unrelated documents. #2267 for the privacy laws editorial issue. > > I think we should re-open 1876, 1872 and 1875, and that 1872 (normative changes might be necessary) and 1875 (might just be non-normative changes but not sure) should be marked as privacy-needs-resolution. My github account doesn't have authority to do that, though, but I've marked need-resolution in the linked horizontal review tracking issues. > > Hope that helps, > Nick ---- Ivan Herman, W3C Home: http://www.w3.org/People/Ivan/ mobile: +33 6 52 46 00 43
Received on Thursday, 12 May 2022 12:12:53 UTC