- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 27 Jun 2007 20:14:08 -0000
- To: <public-wsc-wg@w3.org>
Mez wrote: > Tyler, can you say if anything other than the conformance section underwent > substantial change? Since it's not in the wiki, I can't do a diff to use my time most > efficiently and look at the changes. It depends upon what version you last read. AFAIK, the last version you read was the one in the wiki. If that's true, I recommend re-reading the full text of the proposal. The Conformance section and the annotated list of usability principles are the major new sections, but I've edited the rest of the text as well in response to feedback from the group. > "Selection of a PII text string" - do you or others know what is currently out > there that would not conform to this section? AFAIK, no existing form filler conforms to this section. > I'm not sure how popular form fillers are, All desktop web browsers have built-in form fillers. > but I believe Sxipper would be nonconformant in its current instantiation. For > things that are currently non conformant, can they (easily) become conformant? I think this proposal is readily implementable. > "Selecting the provided option sends an email to the technical contact for the > hostname." - this seems to call for some support at the server or protocol level. How > is the technical contact found? whois lookup of the technical contact > And what if the device is not a general purpose device with email? There's a > conformance class issue here. Then don't send the email. I'll put a SHOULD in there. This step doesn't exist to defend against an attack, but to provide diagnostic information to misconfigured servers and to let the user feel like they've taken action. I suspect misconfigured servers are much more common than MITMs, so providing the diagnostic should be helpful. I also don't want to leave the user with the message of "Just stop what you're doing indefinitely!". I'm hoping the act of reporting the error might be enough to make the user feel comfortable in delaying their task for a while. I figure most MITMs are short lived, so if the user just tries again later, the MITM will most likely be gone and they'll be able to setup a secure connection. Tyler
Received on Wednesday, 27 June 2007 20:15:13 UTC