ARIA password role from Rich Schwerdtfeger on 2016-05-02 (public-webappsec@w3.org from May 2016)

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Mon, 2 May 2016 10:56:23 -0500
To: Brad Hill <hillbrad@fb.com>
Cc: dvedits@mozilla.com, ARIA Working Group <public-aria@w3.org>, public-webappsec@w3.org, Mike Cooper <cooper@w3.org>
Message-Id: <36EA51F5-3B6B-4818-BA76-3A73B008D95F@gmail.com>

Brad, 

Thank you for responding to us so quickly. I gather that you don’t see it is necessary to have a joint meeting on the security issues related to an ARIA password role. 

Let me try and summarize what you deem to the best course of action:

1. Ensure that the assistive technology is conveyed that this is a custom password role versus the standard HTML password role and this should be conveyed in our specification. 
2. With this addition the password role text is acceptable: https://rawgit.com/w3c/aria/password-role/aria/aria.html#password <https://rawgit.com/w3c/aria/password-role/aria/aria.html#password>
3. Although this is separate from ARIA, work with AT vendors to ensure that they notify the AT user of the state of security indicators in browsers: https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords <https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords>

If you agree with this summary the ARIA Working Group will  proceed on this advice. 

Rich

Rich Schwerdtfeger
Chair, ARIA Working Group

Received on Monday, 2 May 2016 15:56:52 UTC