- From: Robert Burns <rob@robburns.com>
- Date: Wed, 22 Aug 2007 21:27:52 -0500
- To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Cc: joshue.oconnor@cfit.ie, public-html <public-html@w3.org>
- Message-Id: <D08EC077-8E01-4E33-B99D-D2D59D5A834B@robburns.com>
Hello Lachlan, Sander, and Josh On Aug 22, 2007, at 10:59 AM, Lachlan Hunt wrote: > > Joshue O Connor wrote: >> Lachlan Hunt wrote: >>> Joshue O Connor claimed: >>>> For example accessibility and security are two forces (sic) that >>>> could be at logger heads. In many ways they are opposing >>>> principles. How can we make the web more accessible while still >>>> making it more secure? How can they be reconsiled? Which one >>>> will get the bums rush when the chips are down? >>> I'm not sure what he's basing that claim on, I can't imagine how >>> any security or privacy issue could affect accessibility. >> Secure PDFs? [1] Off the top of my head, though its not as bad as >> it was. However, it is not disingenuous to suggest that there is at >> least some tension between security needs and accessibility needs. > > PDF Security is actually a form of DRM, which is unrelated to the > security that this principle is about. DRM is bad for everyone. > This principle is about ensuring that the spec deals with security > holes that could, for example, compromise the security or privacy > of a user, particularly when scripting is involved. > >> [1] http://www.afb.org/afbpress/pub.asp?DocID=aw060604 This article is much more about the accessibility problems off PDF in general. It is also very steeped in the current state of art in screen readers than in the potential accessibility of PDF. If it said more about the inherent security versus accessibility issues I missed it. I will say that DRM, as hated as it is, is still very much the same security we're talking about here. Although security is a part of denying access (as the DRM case drives home), we should still seek to ensure security even if we know it might be misused (as DRM so often is). On Aug 22, 2007, at 3:29 PM, Sander Tekelenburg wrote: > t may depend on how one defines "acccessibility"... (In my mind > "accessibility" is pretty close to "usability", which is commonly > recognised > as something that needs to be balanced against security. Perhaps > Joshue was > thinking in that direction.) > > Trying to think of an obvious example of universality vs security: > perhaps > the issue of (visual-only) "Captchas" would be one? I think Captchas are an excellent example of where accessibility may be neglected in order to provide security. However, it is also a good example of security as an after-thought, tacked on to HMTL and HTTP. Authors often give up on usability in general to ensure better security. The problem illustrated by captchas is tricky. It's used as a means to establish trust between two parties: between the website and what the website hopes will be a real human being who is there for the purposes laid out by the site's administrators. Of course real human beings can also spam websites. On the other hand not all real human beings can decipher captchas. So it is a very flawed mechanism for this establishment of trust. Can HTML do anything to improve that or other security accessibility trade-offs? I don't know. It may be out of scope. Establishing trust is the trickiest part of any security model. It's probably not something we can address in HTML, though we could provide some informative prose reminding authors of the accessibility problems with tacked-on trust mechanisms (e.g., in such cases recommend providing a phone number or an email address to send a message to another real human being). This to me would be a part of incorporating HTML related security measures into a "Secure by design" HTML. However, security and accessibility do not have to be at odds. I've heard it said the three 'As of security are authentication, authority and access. So the point there is to grant access to those with the authority who are properly authenticated. Another bit problem to consider in providing security and improved usability together is security for users (not just authors). For example, users may be overwhelmed by the volume of requests for information and need a way to manage that. They may want to provide some information about themselves to some sites and not others. Recommendations such as P3P [1] help with this. We may want to consider recommending this and similar mechanisms by way of reference in HTML5. P3P helps browse users manage trust relations to authenticate authors granting them access based on granted authority to resources and information. Take care, Rob [1]: <http://www.w3.org/P3P/>
Received on Thursday, 23 August 2007 02:28:39 UTC