RE: Extended Validation SSL indication from Jim Allan on 2008-08-21 (w3c-wai-ua@w3.org from July to September 2008)

From: Jim Allan <jimallan@tsbvi.edu>
Date: Thu, 21 Aug 2008 15:08:35 -0500
To: "'Kelly Ford'" <kford@windows.microsoft.com>, <w3c-wai-ua@w3.org>
Message-ID: <004b01c903c9$b164c190$142e44b0$@edu>
Kelly wrote:  
> In IE7 we did some work to try and make this experience more accessible.
> It is interesting because had you browsed with Window-Eyes you would have
> had  had a slightly different experience.
> 
> Window-Eyes gives announcement of this kind of security info automatically
> on page load.

That's good to hear that some AT is picking it up. I wonder what happens on
a mobile browser?
 
> When you say you were not able to activate the links with the keyboard,
I'm
> not seeing that.  If you arrow through the security info in IE, there are
> two links and pressing enter on both should activate those links.

For clarification, my experience now matches you experience. On my first
encounter, I was using IE7 with JAWS 9. I had to route JAWS to PC to even
read the text in the security information that appeared after I activated
it. But could not activate the links... after reading your message, I tried
it again...and it works as described. I think on my first attempt, I hit
down arrow and it didn't say thing (not even blank) so I jumped to brute
force mode (routing cursors, etc.). This time, I hit down arrow one more
time and Jaws started reading. And I could focus on the links and activate
them. Curiously, 'Verisign' (the word) is not spoken when I use up or down
arrow to read the text in the box. If I use a left or right arrow to read
the text "VeriSign has identified this site as:" then Verisign is spoken as
a unique object. 

So from the top of the security box...
Down arrow twice, Jaws says "has identified this site as:" up or down arrows
continues to read all of the other text in the box. The only way to have
'verisign' spoken, is to arrow to the line "has identified this site as:"
and hit left arrow.
 
> This is an interesting topic and I have more thoughts and we've discussed
> this issue internally.  We can discuss in a meeting.

I agree, we should address it on a call. I think it may belong in Guideline
3 - perceivable. User has to know it is there, so they can choose to do
something with it.

Jim

> -----Original Message-----
> From: w3c-wai-ua-request@w3.org [mailto:w3c-wai-ua-request@w3.org] On
> Behalf Of Jim Allan
> Sent: Tuesday, August 19, 2008 3:21 PM
> To: w3c-wai-ua@w3.org
> Subject: Extended Validation SSL indication
> 
> 
> Just read an interesting article " Earn Trust With Extended Validation
SSL"
> from
> http://www.thestylesheet.com/featured-articles/2008/08/earn-trust-with-
> exten
> ded-validation-ssl/
> 
> The article was related to security but mentioned the browsers address bar
> turning green and other indicators to tell the user about the valid
> certificate. My accessibility alarm bells gave a ring.
> 
> So I tested with Jaws in IE7 and FF3. Went to http://www.papercheck.com/
as
> a test. The address bar does indeed turn green when you activate a
> 'purchase' link.
> In IE7 valid certificate information also appears to the right of  the
> address field. You are able to tab to this information, space bar opens
it,
> and with some routing of Jaws to PC cursor, you can read what is there.
But
> I was not able to activate any of the links (or tab to them) in the valid
> certificate information. Mouse was the only interaction possible.
> 
> In FF3 valid certificate information also appears in the address field to
> the left of the actual address. You are able to tab to this information,
> space bar opens it, and JAWS reads the information. Then you can tab to
> actionable items, open them, and interact will all of the information in
> the
> new windows.
> 
> The concern is that there is no notification to the user indicating that
> new
> information appeared in the UA user interface other than the color change
> and new text appears in or near the address bar. The UA generates these
> items from meta tags in the head of the page.
> <link rel="meta" href="https://www.papercheck.com/labels.xml"
> type="application/rdf+xml" title="ICRA labels">
> <meta http-equiv="pics-Label" content='(pics-1.1
> "https://www.icra.org/pics/vocabularyv03/" l gen true for
> "https://www.papercheck.com/"  ...>
> 
> Security information is critical to all users. The UA should alert the
user
> when this 'pop-on' security information is available. This is different
> from
> being altered that you are going to a secure website. UAs already have
that
> functionality. It should be documented. The resulting
> information/interaction should be keyboard accessible and available
> programmatically.
> 
> I did a quick review of UAAG20 but did not find anything specific.  This
> needs further discussion, but after we have keyboarding completed.
> 
> Thoughts? Other issues related to information appearing in the address bar
> or elsewhere in the UA interface?
> 
> Jim Allan, Accessibility Coordinator & Webmaster
> Texas School for the Blind and Visually Impaired
> 1100 W. 45th St., Austin, Texas 78756
> voice 512.206.9315    fax: 512.206.9264  http://www.tsbvi.edu/
> "We shape our tools and thereafter our tools shape us." McLuhan, 1964
> 
> 
> 
> 
> 
>
Received on Thursday, 21 August 2008 23:24:51 UTC