Re: [Proposal] New Guideline 6 checkpoints (APIs, Infoset, DOM) from David Poehlman on 2002-05-22 (w3c-wai-ua@w3.org from April to June 2002)

From: David Poehlman <poehlman1@comcast.net>
Date: Wed, 22 May 2002 18:10:57 -0400
To: "Ian B. Jacobs" <ij@w3.org>, Jim Ley <jim@jibbering.com>
Cc: w3c-wai-ua@w3.org
Message-id: <006f01c201dd$8d1a5ab0$91e03244@DAVIDPOEHLMAN>
Ian, I like this note but think the example is bad because it is
normative today to follow the practice of masking in the at because that
is what is provided to the user anyway.  If we can come up with a better
eample though such as for instance, document security being prohibitive
to at, that would be good.

----- Original Message -----
From: "Ian B. Jacobs" <ij@w3.org>
To: "Jim Ley" <jim@jibbering.com>
Cc: <w3c-wai-ua@w3.org>
Sent: Wednesday, May 22, 2002 2:25 PM
Subject: Re: [Proposal] New Guideline 6 checkpoints (APIs, Infoset, DOM)


Jim Ley wrote:
> "Jon Gunderson" <jongund@uiuc.edu>
>
>>I think that developers will not want to leave a hole open for
> programmatic
>>access to secure information.  They can provide a secure API, but I
> don't
>>think this will work unless we have a spec available to show them now.
>
> I don't think it is part of the current DOM requirements, but if it is
> then I withdraw my suggestion.  I don't think we should require more
> information
>>be provided through the API than what the user would get through the
>>standard user interface.   You can always do more.
>
>
> The value of the password element is already exposed in DOM 0 (and
> later), the asterixing is purely visual, it's often also misleading to
> user/developers that it is in some way more secure than other form
> elements, when it is not.  I think it would be more useful to expose
the
> value rather than the asterix's or blobs that are used now - it
doesn't
> introduce any new security holes, and the information is not secure.
>
> For genuine secure information, that may be different, but do we have
> any?

I agree with Al Gilman (and perhaps Jim as well)
that security issues should be addressed at another
layer than the layer of functionality we are requiring
in Guideline 6.

UAAG 1.0 mentions security issues in section 1.3 [1]:

  "Security. This document does not address security issues that may
   arise as a result of these requirements. For instance,
   requirements that software be able to read and write content and
   user interface information through APIs raise security issues. See
   the section on restricted functionality and conformance."

Perhaps we should not consider the lack of explicit security
measures a limitation of UAAG 1.0 but rather an explicit feature
of UAAG 1.0, and explain our expectations.

It's standard practice for RFCs to include a "Security
Considerations" section. What do people think about a section in
UAAG 1.0 that says something like this:

<new>
Security Considerations

Some of the requirements of UAAG 1.0 (e.g., communication through
APIs, allowing programmatic read and write access to content
and user interface control, etc.) have security implications.
This document assumes that user agent developers will address
security concerns through underlying security mechanisms, and
that other features, including features required by UAAG 1.0,
will be built above the security infrastructure. Consequently,
there are no "exceptions for security reasons" explicit in
UAAG 1.0 requirements.

Consider the example of a form control that allows the user to
enter a password. Graphical user agents commonly mask
mask characters typed in a password entry control, for example
by displaying the characters as asterisks. The user
agent should not communicate asterisks to assistive technologies,
but instead use legitimate security mechanisms such as encryption
so that, for example, only trusted assistive technologies have
access to what the user typed.

Appropriate behavior by the user agent (particularly with respect to
security) depends very much on the user's context. For instance,
hiding passwords visually with asterisks meets the needs of users in
a crowded environment, but is not critical when one is alone in a
room. Similarly, passwords should not be broadcast over a
loudspeaker, but could very well be spoken through an earphone and
pose no security risk.

Include links here to XML-Signature Syntax and Processing
http://www.w3.org/TR/xmldsig-core/
and XML Encryption Syntax and Processing
http://www.w3.org/TR/xmlenc-core/
</new>

  - Ian

P.S. This will help us address issue 528 [2].

[1] http://www.w3.org/TR/2001/CR-UAAG10-20010912/uaag10#limitations
[2] http://www.w3.org/WAI/UA/issues/issues-linear-cr2.html#528
--
Ian Jacobs (ij@w3.org)   http://www.w3.org/People/Jacobs
Tel:                     +1 718 260-9447
Received on Wednesday, 22 May 2002 18:11:34 UTC