RE: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] from michael.mccormick@wellsfargo.com on 2007-11-19 (public-wsc-wg@w3.org from November 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 19 Nov 2007 13:52:05 -0600
To: <johnath@mozilla.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164D7CD388@msgswbmnmsp17.wellsfargo.com>

Hi Johnathan,
 
No slight intended.  But just as a matter of principle I don't believe
"browser manufacturer adoption likelihood" should be a litmus test for
W3C recommendations (either browser manufacturers who participate in WSC
or others).  Criteria 2 should therefore be reworded or withdrawn imho.
 
I recognize a distinction between "it won't work" versus "people won't
like it".  I would certainly agree nothing in the former category should
make it into wsc-xit.  The latter category is the one I worry about.
There are certain browser manufacturers (present company excluded) where
it seems convenience, performance, or time-to-market frequently trumps
security considerations.  Even at a place like Mozilla where you don't
have shareholders to answer to, I would imagine security versus
convenience/speed trade-offs are difficult for you as they are for the
rest of us.  Rather than view WSC as "calling browsers to heel", I view
it as extra ammunition for the pro-security faction to use in those
internal debates.
 
Cheers Mike

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Johnathan Nightingale
Sent: Wednesday, November 14, 2007 5:03 PM
To: W3C WSC Public
Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All]


On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com>
<michael.mccormick@wellsfargo.com> wrote:

	Criteria 2, at least as phrased below, concerns me.  I don't
feel WSC should be constrained from making a recommendation just because
a particular community may resist adopting it.  Our guidance on favicons
is a case in point.  I'm skeptical browsers will adopt that
recommendation any time soon but it's still the right thing to do.  If
browser manufacturers could always be counted on to do the right things
for security on their own, then initiatives like WSC would be less
necessary.  Criteria 2 could also reinforce a perception among some
skeptics that W3C is beholden to certain web technology vendors and
gives their needs priority over those of other industries or the broader
user community.  


Parenthetical: I'm not sure if there's an implied slight in there or not
-- are we browser vendors assumed to be deliberately not doing the right
things for security on our own?  Is there some other interest we are
supposed to be serving than the well-being of our users?  I can't speak
for others, but I don't have any shareholders pulling my strings here.
The WSC has positive, constructive reasons for existing that don't trace
themselves to "calling browsers to heel."


I'm absolutely not sold on the idea that dropping favicons is the right
thing to do, but without meaning to diverge from issue-117, I would
agree that we shouldn't elevate any members of the working group as
being more influential than others.  I would also argue that
recommendations for which we pat ourselves on the back, but which don't
see any implementation anywhere, are mostly a waste of our time though.
Whether it's content authors, browser authors, crypto researchers, or
some other group, I would hope that "this won't work" would be a topic
of significant consideration and concern to our group.

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 19 November 2007 19:52:45 UTC