Fw: Transition Request: WSC user interface guidelines to proposed recommendation from Mary Ellen Zurko on 2010-05-12 (public-wsc-wg@w3.org from May 2010)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Wed, 12 May 2010 16:43:25 -0400
To: public-wsc-wg@w3.org
Message-ID: <OF60D86D14.CFECA5ED-ON85257721.007192C9-85257721.0071A8B3@LocalDomain>
Draft version of our transition request. 

          Mez


----- Forwarded by Mary Ellen Zurko/Westford/IBM on 05/12/2010 04:40 PM 
-----

From:   Mary Ellen Zurko/Westford/IBM
To:     timbl@w3.org, ralph@w3.org, plh@w3.org
Date:   05/07/2010 08:48 AM
Subject:        Transition Request: WSC user interface guidelines to 
proposed recommendation


1. Document title

We propose to publish the following document as a Proposed
Recommendation:

 shortname               title
 wsc-ui                  Web Security Context: User Interface Guidelines 

 http://www.w3.org/2006/WSC/drafts/rec/rewrite.html


The estimated publication date is May 22, 2010. 


2. Document Abstract and Status sections

http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#abstract


Abstract
This specification defines guidelines and requirements for the 
presentation and communication of Web security context information to 
end-users. 

http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#status
Status of this Document
This document is an editors' copy that has no official standing.
This section describes the status of this document at the time of its 
publication. Other documents may supersede this document. A list of 
current W3C publications and the latest revision of this technical report 
can be found in the W3C technical reports index at http://www.w3.org/TR/.
The W3C Membership and other interested parties are invited to review the 
document and send comments to public-usable-authentication@w3.org (with 
public archive) through @@. Advisory Committee Representatives should 
consult their WBS questionnaires. Note that substantive technical comments 
were expected during the Last Call review period that ended 31 March 2010.
Please see the Working Group's Implementation Report.
This document was developed by the Web Security Context Working Group. The 
Working Group expects to advance this Working Draft to Recommendation 
Status.
To frame its development of this specification, the Working Group had 
previously published a use case note [WSC-USECASES]. This specification 
addresses most of the use cases and issues documented in that note by 
documenting best existing practice, with the following exceptions:
This specification does not include advice for web site authors.
This specification does not provide advice to address the issue explained 
in sections 9.1.2 Visually extending the chrome and 9.2.7 Information bar 
(aka: notification bar).
Additionally, section 10.4 Implementation and testing of [WSC-USECASES] 
articulated an expectation that the recommendations in this specification 
would be subject to usability testing, at least on a low fidelity level, 
and that such testing would form part of the Candidate Recommendation exit 
criteria. Resources available to the Working Group at this point will not 
permit the group to conduct extensive usability testing. At the same time, 
the focus of this specification has shifted toward documenting best 
existing practice.
For a list of changes to this document since its latest Last Call Working 
Draft, please refer to the diff document that is available. Notable 
changes made in response to last call comments include:
@@ Note: Will add links to sections in the diff to this list of changes. 
@@
A clarification in the overview that the security properties of the local 
client state are out of scope.
Removing upgrades as defined in RFC 2817 from the definition of 
TLS-protected.
Reverting the conformance criteria for TLS indicator and identity signal 
to their Candidate Recommendation state of SHOULD in primary user 
interface, otherwise MUST in secondary user interface. (During the latest 
last call they had been changed to MUST in primary user interface.)
In errors that interrupt the user's flow of interaction, clarifying that 
user agents are to make a best effort to enable the user to easily return 
to the previous user agent state.
Referencing TLS-protected HTTP instead of HTTPS in the discussion of the 
security considerations of dynamic content changes from calls to the 
XMLHttpRequest API.
Publication as a Proposed Recommendation does not imply endorsement by the 
W3C Membership. This is a draft document and may be updated, replaced or 
obsoleted by other documents at any time. It is inappropriate to cite this 
document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 
W3C Patent Policy. W3C maintains a public list of any patent disclosures 
made in connection with the deliverables of the group; that page also 
includes instructions for disclosing a patent. An individual who has 
actual knowledge of a patent which the individual believes contains 
Essential Claim(s) must disclose the information in accordance with 
section 6 of the W3C Patent Policy.
3. Record of the decision to request the transition

The working group decided to take wsc-ui to CR via a formal vote: 
// need uri for the vote results announcement
http://www.w3.org/2002/09/wbs/39814/wscuitopr/results

4. Report of important changes to the document

Differences against the latest Last Call Working Draft: 
http://www.w3.org/2007/10/htmldiff?doc1=http://www.w3.org/TR/wsc-ui/&doc2=http://www.w3.org/2006/WSC/Drafts/rec/rewrite.html

The most noteworthy changes are:

o A clarification in the overview that the security properties of the 
local client state are out of scope.

o Removing upgrades as defined in RFC 2817 from the definition of 
TLS-protected. 
http://www.w3.org/2006/WSC/track/issues/245

o Reverting the conformance criteria for TLS indicator and identity signal 
to their Candidate Recommendation state of SHOULD in primary user 
interface, otherwise MUST in secondary user interface. (During the latest 
last call they had been changed to MUST in primary user interface.) 
http://www.w3.org/2006/WSC/track/issues/244

o In errors that interrupt the user's flow of interaction, clarifying that 
user agents are to make a best effort to enable the user to easily return 
to the previous user agent state.
http://www.w3.org/2006/WSC/track/issues/246

o Referencing TLS-protected HTTP instead of HTTPS in the discussion of the 
security considerations of dynamic content changes from calls to the 
XMLHttpRequest API. 
http://www.w3.org/2006/WSC/track/issues/245

5. Evidence that the document satisfies group's requirements

The relationship to the document's requirements document is discussed in 
the Status of the Document starting with the Candidate Recommendation 
version of 22 December 2009: 
http://www.w3.org/TR/2009/CR-wsc-ui-20091222/
No comments were received. 

6. Evidence that dependencies with other groups met

wsc-ui has no dependencies with other groups. 

We have requested and received review from WebApps participants.

7. Evidence that the document has received wide review

There were three rounds of Last Call, with review comments received from 
13 external parties: 

http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20090226/
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/

We have draft implementation reports from three web user agents:

http://www.w3.org/2006/WSC/drafts/rec/wsc-impl.html

8. Evidence that issues have been formally addressed

See WSC issues list:
http://www.w3.org/2006/WSC/track/issues/


And the responses to the LC comments:

http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20090226/
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/



Three issues have been raised since our transition to third Last Call. 

The requirement for an HTTPS URI for strong TLS protection was raised as 
an issue by a reviewer, who acknowledges the working group decision, but 
is not satisfied by it: 
http://www.w3.org/2006/WSC/track/issues/245

// need to close the open issue

Two issues were clarification that were accepted: 
http://www.w3.org/2006/WSC/track/issues/246
http://www.w3.org/2006/WSC/track/issues/247


9. Objections

There have been no objections.

10. Implementation Information

The Working Group's implementation report presents evidence for 
three implementations of this specification. All three conform to all 
Basic requirements (i.e., MUST and MUST NOT clauses in the 
specification). One conforms to all Advanced requirements (i.e. 
SHOULD and SHOULD NOT clauses in the specification). 

http://www.w3.org/2006/WSC/drafts/rec/wsc-impl.html

// final implementation report , not draft; clean up the headers and such 

11. Patent Disclosures

None.
Received on Wednesday, 12 May 2010 20:42:07 UTC