- From: <michael.mccormick@wellsfargo.com>
- Date: Mon, 19 Nov 2007 17:22:57 -0600
- To: <ifette@google.com>
- Cc: <johnath@mozilla.com>, <public-wsc-wg@w3.org>
- Message-ID: <9D471E876696BE4DA103E939AE64164D7CD470@msgswbmnmsp17.wellsfargo.com>
Your perspective is totally valid Ian. And from that perspective, everything you said makes sense. But a different perspective is that of a skeptic who looks at WSC, sees it's dominated & led by technology firms including some browser makers, reads in our acceptance criteria that W3C will only propose changes with guaranteed browser manufacturer uptake, and concludes the game was rigged. The actions of certain browser manufacturers have made many people skeptical about whether browser makers really care about security. W3C needs to strive for an appearance of impartiality. If you can imagine how this process looks to a skeptical outsider, maybe you can understand why I still feel Criteria 2 should be reworded? I agree any WSC recommendation which faces resistance from the UA community needs serious discussion. I just don't think it should be automatically disqualified because browser makers don't like it. Which is what Criteria 2 seems to imply. Mike _____ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette Sent: Monday, November 19, 2007 3:42 PM To: McCormick, Mike Cc: johnath@mozilla.com; public-wsc-wg@w3.org Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] I don't really view the recommendation as ammunition at all. I think that most likely you have an environment where security is taken seriously, in which both sides (UX and security) come together to make a reasonable decision, or you have an environment where security takes a back seat. In the former, you don't really need to hold up a spec and have "ammo", in the latter, you're in trouble anyways, and I don't think a brand-new spec (which, let's face it, is not at all critical path) is going to change anything. My personal view is this (and it is only my personal view, feel free to disagree). I want to see as many browsers fully-adopt as possible. If a browser is comfortable doing most of the things, and there are only a few minor holdouts, there may be willingness to give way and conform on those minor holdout areas, for the sake of being able to claim conformance. If there is something in the spec that is just not going to happen, for whatever reason, and a decision is made not to conform, then it makes it much easier to ignore all the other little things in the spec as well. Use whatever analogy you want (cracks in glass, faults, whatever), I just feel that if there is one thing that is going to cause non-conformance, it will likely spread and cause even more non-conformance. As for "people won't like it" - this worries me a lot, perhaps even more than "it won't work". If something drives users away to a less secure UA, that is like the worst of both worlds. It results in users being less protected, and if someone says "Adopting WSC-XIT caused a decline in market share of X in our product" then that certainly doesn't speak well for others deciding to adopt the rec, and also makes us look like we're out in la-la land. If we are told / believe that a part of the recommendation is not likely to be implemented, then we need to have a really serious discussion about whether that part should stay in, and what the likely affect on adoption of the overall proposal is. On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com> wrote: Hi Johnathan, No slight intended. But just as a matter of principle I don't believe "browser manufacturer adoption likelihood" should be a litmus test for W3C recommendations (either browser manufacturers who participate in WSC or others). Criteria 2 should therefore be reworded or withdrawn imho. I recognize a distinction between "it won't work" versus "people won't like it". I would certainly agree nothing in the former category should make it into wsc-xit. The latter category is the one I worry about. There are certain browser manufacturers (present company excluded) where it seems convenience, performance, or time-to-market frequently trumps security considerations. Even at a place like Mozilla where you don't have shareholders to answer to, I would imagine security versus convenience/speed trade-offs are difficult for you as they are for the rest of us. Rather than view WSC as "calling browsers to heel", I view it as extra ammunition for the pro-security faction to use in those internal debates. Cheers Mike _____ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Johnathan Nightingale Sent: Wednesday, November 14, 2007 5:03 PM To: W3C WSC Public Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com> <michael.mccormick@wellsfargo.com> wrote: Criteria 2, at least as phrased below, concerns me. I don't feel WSC should be constrained from making a recommendation just because a particular community may resist adopting it. Our guidance on favicons is a case in point. I'm skeptical browsers will adopt that recommendation any time soon but it's still the right thing to do. If browser manufacturers could always be counted on to do the right things for security on their own, then initiatives like WSC would be less necessary. Criteria 2 could also reinforce a perception among some skeptics that W3C is beholden to certain web technology vendors and gives their needs priority over those of other industries or the broader user community. Parenthetical: I'm not sure if there's an implied slight in there or not -- are we browser vendors assumed to be deliberately not doing the right things for security on our own? Is there some other interest we are supposed to be serving than the well-being of our users? I can't speak for others, but I don't have any shareholders pulling my strings here. The WSC has positive, constructive reasons for existing that don't trace themselves to "calling browsers to heel." I'm absolutely not sold on the idea that dropping favicons is the right thing to do, but without meaning to diverge from issue-117, I would agree that we shouldn't elevate any members of the working group as being more influential than others. I would also argue that recommendations for which we pat ourselves on the back, but which don't see any implementation anywhere, are mostly a waste of our time though. Whether it's content authors, browser authors, crypto researchers, or some other group, I would hope that "this won't work" would be a topic of significant consideration and concern to our group. Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Monday, 19 November 2007 23:26:24 UTC