- From: Ian Fette <ifette@google.com>
- Date: Tue, 20 Nov 2007 09:21:23 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: public-wsc-wg@w3.org
I understand the intent of "realistically feasible", but it sounds like we now are giving ourselves waaay too much wiggle room. For instance, we might think something "realistically feasible", but the browser vendors have a much better idea of their own market and its willingness to put up with our machinations. Thus, what seems feasible to us might seem totally ludicrous to them. Buy-in acts also as a forcing function - it forces us to open up a dialog, which frankly is lacking right now (not necessarily due to the fault of our group, but I really think that we do at least need to have some sort of discussion with the folks at MS and Apple, regardless on whether they join the WG or not, to at least get a reality check from them.) I think this forcing function would be a very good motivator. I'm not trying to say that the spec is contingent upon MS approval or anything of the sort, nor do I lose sleep over whether MSFT will join WSC. I just really want that dialog to happen, "officially" or unofficially, I just think it's unhealthy the way things are moving forward. @Mike: "The WHATWG is a growing community of people interested in evolving the Web. It focuses primarily on the development of HTML and APIs needed for Web applications. The WHATWG was founded by individuals of Apple, the Mozilla Foundation, and Opera Software in 2004, after a W3C workshop. Apple, Mozilla and Opera were becoming increasingly concerned about the W3C's direction with XHTML, lack of interest in HTML and apparent disregard for the needs of real-world authors. So, in response, these organisations set out with a mission to address these concerns and the Web Hypertext Application Technology Working Group was born. " (From WHATWG FAQ) WHATWG basically took over the spec for HTML5, because people believed W3C was just out of it. Unlike W3C, there was no cost to participate, and the mailing lists have been much more active than the W3C lists... since then WHATWG and the W3C are now "working on the same specification", which is a very strange arrangement and not entirely clear what it means. If you want more information beyond that, I don't really trust myself to be an accurate and unbiased source on the matter. I would point you to @tlr, but I have no idea if he wants to go down this particular rathole. Perhaps offline, or on the member list, you might have better luck. On Nov 20, 2007 8:03 AM, <michael.mccormick@wellsfargo.com> wrote: > > > Hi Ian, > > Thanks for sharing this. I'm new to W3C so knowing this history helps me > understand where you guys were coming from with Criteria 2. (What's > WHATWG?) > > According to the SuccessBaseline page, C2 currently reads: > > 2. There is buy in and uptake of the recommendation by browsers, web > application developers, web site administrators, and users > > My suggested rewording: > > 2. Adoption and implementation of the recommendation by browsers, web > application developers, web site administrators, and users is realistically > feasible > > I think this preserves the original intent of C2 (as I understand it) while > subtly shifting the emphasis from "buy in" to "feasibility". > > Mike > > ________________________________ > From: Ian Fette [mailto:ifette@google.com] > Sent: Monday, November 19, 2007 6:06 PM > > > To: McCormick, Mike > Cc: johnath@mozilla.com; public-wsc-wg@w3.org > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] > > > > Not sure if I really want to say this on the record or not, but here goes. I > have seen a lot of things where W3C has gone off the deep end. Without > getting into specifics, there's a reason that WHATWG was started. Current > politics of WHATWG / HTML5 / XHTML5 / whatever aside, W3C was more or less > going in a direction that browsers were not going to follow, and it led to > very bad things. The web hasn't been standards-compliant for a long time, > and that is not a good thing. I would love to see more content conform to > one of the HTML/XHTML/etc standards, and I would love to see browsers doing > the same. However, for that to ever happen, the standards need to remain > realistic and relevant. If we start going off doing what we think would be > "cool", or even just "the right way" while ignoring realities, we risk going > down the same path that led to the WHATWG formation and subsequent politics. > > I agree that W3C should strive for impartiality, but at the same time > impartiality should not imply losing our grip on reality. (I realize that's > not what you're saying, I'm just saying that is what can happen if we're not > careful.) As to "criteria 2" and automatic disqualification - I agree that > we don't want it to appear that we're in collusion and giving people a free > pass. However, my concern is that if we feel we're writing a spec that won't > be adopted, what's the point? Great, we're recommending "the right thing", > but if no-one takes us up and commits to that recommendation, what's the > point? If I felt that we were going to put out a recommendation that stood > no chance of adoption, I'd quit the working group tomorrow. > > I don't think that Criteria 2 is intended as "Browser vendors get a veto on > the rec." More, I think it should be read as "Are we producing a spec that > will be implemented and adhered to, or are we wasting our time." That's a > very different message (although I will concede that the practical result > may be similar.) I want to make the web a safer place, but I also don't want > to waste my time in writing spec that will never be adhered to. > > -Ian > > P.S. do you have a proposal for how to re-word C2? > > > > On Nov 19, 2007 3:22 PM, <michael.mccormick@wellsfargo.com > wrote: > > > > > > > Your perspective is totally valid Ian. And from that perspective, > everything you said makes sense. > > > > But a different perspective is that of a skeptic who looks at WSC, sees > it's dominated & led by technology firms including some browser makers, > reads in our acceptance criteria that W3C will only propose changes with > guaranteed browser manufacturer uptake, and concludes the game was rigged. > The actions of certain browser manufacturers have made many people skeptical > about whether browser makers really care about security. W3C needs to > strive for an appearance of impartiality. If you can imagine how this > process looks to a skeptical outsider, maybe you can understand why I still > feel Criteria 2 should be reworded? > > > > I agree any WSC recommendation which faces resistance from the UA > community needs serious discussion. I just don't think it should be > automatically disqualified because browser makers don't like it. Which is > what Criteria 2 seems to imply. > > > > Mike > > > > ________________________________ > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On > Behalf Of Ian Fette > > Sent: Monday, November 19, 2007 3:42 PM > > To: McCormick, Mike > > Cc: johnath@mozilla.com; public-wsc-wg@w3.org > > > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] > > > > > > > > I don't really view the recommendation as ammunition at all. I think that > most likely you have an environment where security is taken seriously, in > which both sides (UX and security) come together to make a reasonable > decision, or you have an environment where security takes a back seat. In > the former, you don't really need to hold up a spec and have "ammo", in the > latter, you're in trouble anyways, and I don't think a brand-new spec > (which, let's face it, is not at all critical path) is going to change > anything. > > > > My personal view is this (and it is only my personal view, feel free to > disagree). I want to see as many browsers fully-adopt as possible. If a > browser is comfortable doing most of the things, and there are only a few > minor holdouts, there may be willingness to give way and conform on those > minor holdout areas, for the sake of being able to claim conformance. If > there is something in the spec that is just not going to happen, for > whatever reason, and a decision is made not to conform, then it makes it > much easier to ignore all the other little things in the spec as well. Use > whatever analogy you want (cracks in glass, faults, whatever), I just feel > that if there is one thing that is going to cause non-conformance, it will > likely spread and cause even more non-conformance. > > > > As for "people won't like it" - this worries me a lot, perhaps even more > than "it won't work". If something drives users away to a less secure UA, > that is like the worst of both worlds. It results in users being less > protected, and if someone says "Adopting WSC-XIT caused a decline in market > share of X in our product" then that certainly doesn't speak well for others > deciding to adopt the rec, and also makes us look like we're out in la-la > land. > > > > If we are told / believe that a part of the recommendation is not likely > to be implemented, then we need to have a really serious discussion about > whether that part should stay in, and what the likely affect on adoption of > the overall proposal is. > > > > > > On Nov 19, 2007 11:52 AM, <michael.mccormick@wellsfargo.com> wrote: > > > > > > > > > > > Hi Johnathan, > > > > > > No slight intended. But just as a matter of principle I don't believe > "browser manufacturer adoption likelihood" should be a litmus test for W3C > recommendations (either browser manufacturers who participate in WSC or > others). Criteria 2 should therefore be reworded or withdrawn imho. > > > > > > I recognize a distinction between "it won't work" versus "people won't > like it". I would certainly agree nothing in the former category should > make it into wsc-xit. The latter category is the one I worry about. There > are certain browser manufacturers (present company excluded) where it seems > convenience, performance, or time-to-market frequently trumps security > considerations. Even at a place like Mozilla where you don't have > shareholders to answer to, I would imagine security versus convenience/speed > trade-offs are difficult for you as they are for the rest of us. Rather > than view WSC as "calling browsers to heel", I view it as extra ammunition > for the pro-security faction to use in those internal debates. > > > > > > Cheers Mike > > > > > > ________________________________ > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org ] > On Behalf Of Johnathan Nightingale > > > Sent: Wednesday, November 14, 2007 5:03 PM > > > To: W3C WSC Public > > > > > > Subject: Re: ISSUE-117 (serge): Eliminating Faulty Recommendations [All] > > > > > > > > > > > > > > > > > > > > > > > > On 12-Nov-07, at 3:46 PM, <michael.mccormick@wellsfargo.com> > <michael.mccormick@wellsfargo.com > wrote: > > > Criteria 2, at least as phrased below, concerns me. I don't feel WSC > should be constrained from making a recommendation just because a particular > community may resist adopting it. Our guidance on favicons is a case in > point. I'm skeptical browsers will adopt that recommendation any time soon > but it's still the right thing to do. If browser manufacturers could always > be counted on to do the right things for security on their own, then > initiatives like WSC would be less necessary. Criteria 2 could also > reinforce a perception among some skeptics that W3C is beholden to certain > web technology vendors and gives their needs priority over those of other > industries or the broader user community. > > > > > > Parenthetical: I'm not sure if there's an implied slight in there or not > -- are we browser vendors assumed to be deliberately not doing the right > things for security on our own? Is there some other interest we are > supposed to be serving than the well-being of our users? I can't speak for > others, but I don't have any shareholders pulling my strings here. The WSC > has positive, constructive reasons for existing that don't trace themselves > to "calling browsers to heel." > > > > > > > > > > > > I'm absolutely not sold on the idea that dropping favicons is the right > thing to do, but without meaning to diverge from issue-117, I would agree > that we shouldn't elevate any members of the working group as being more > influential than others. I would also argue that recommendations for which > we pat ourselves on the back, but which don't see any implementation > anywhere, are mostly a waste of our time though. Whether it's content > authors, browser authors, crypto researchers, or some other group, I would > hope that "this won't work" would be a topic of significant consideration > and concern to our group. > > > > > > > > > Cheers, > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > --- > > > Johnathan Nightingale > > > Human Shield > > > johnath@mozilla.com > > > > > > > > > > > > > > > > > >
Received on Tuesday, 20 November 2007 17:21:44 UTC