- From: Rich Schwerdtfeger <richschwer@gmail.com>
- Date: Mon, 2 May 2016 13:06:49 -0500
- To: Brad Hill <hillbrad@gmail.com>, Janina Sajka <janina@rednote.net>
- Cc: Brad Hill <hillbrad@fb.com>, dvedits@mozilla.com, ARIA Working Group <public-aria@w3.org>, public-webappsec@w3.org, Mike Cooper <cooper@w3.org>
- Message-Id: <B002DEC5-41ED-42CD-B420-9FB5C165D008@gmail.com>
True. Are the other browser manufacturers planning to provide similar security indicators? We need to make sure AT Vendors report the indicators across browsers. I don’t know who would coordinate that with AT vendors (the APA working group or ARIA) but I will discuss that with the rest of the ARIA Working Group Thursday. Based on your input I believe our password role definition is sound. We just need to work with AT vendors on this and ensuring they render text properly. Regards, Rich Rich Schwerdtfeger > On May 2, 2016, at 11:01 AM, Brad Hill <hillbrad@gmail.com> wrote: > > I'm not sure that even #1 is necessary. There is no such notification for without AT for users interacting with fields that "behave like" password fields but aren't <input type=password>. A meaningful trust decision can only be made by examining the address bar to verify the identity of the resource and that it was delivered securely. > > On Mon, May 2, 2016 at 8:59 AM Rich Schwerdtfeger <richschwer@gmail.com <mailto:richschwer@gmail.com>> wrote: > Brad, > > Thank you for responding to us so quickly. I gather that you don’t see it is necessary to have a joint meeting on the security issues related to an ARIA password role. > > Let me try and summarize what you deem to the best course of action: > > 1. Ensure that the assistive technology is conveyed that this is a custom password role versus the standard HTML password role and this should be conveyed in our specification. > 2. With this addition the password role text is acceptable: https://rawgit.com/w3c/aria/password-role/aria/aria.html#password <https://rawgit.com/w3c/aria/password-role/aria/aria.html#password> > 3. Although this is separate from ARIA, work with AT vendors to ensure that they notify the AT user of the state of security indicators in browsers: https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords <https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords> > > If you agree with this summary the ARIA Working Group will proceed on this advice. > > Rich > > Rich Schwerdtfeger > Chair, ARIA Working Group > > >
Received on Monday, 2 May 2016 18:07:20 UTC