- From: Gez Lemon <gez.lemon@gmail.com>
- Date: Tue, 17 Jul 2007 00:35:45 +0100
- To: "Al Gilman" <Alfred.S.Gilman@ieee.org>
- Cc: wai-xtech@w3.org
Hi Al, Regarding providing CAPTCHA through content negotiation: On 16/07/07, Al Gilman <Alfred.S.Gilman@ieee.org> wrote: <quote> This would take some exploration. You don't really want to shut down the transmission of all images just so you get the CAPTCHA with an audio prompt. For one thing, you don't want the right answer to the visual and audio challenges to be the same string, for security reasons. It just makes the attacker's job too easy. So it's not a simple <object> substitution. You have to put an opaque key in the form reply that tells the server what right answer to look for. </quote> Forgive me if I'm being naive, stupid, or both, but I didn't think that a visual, audio, or any other type of challenge would require the same answer - I assumed that the challenge would be presented in exactly the same way that an alternative challenge would be presented if someone opts for a different challenge in the CAPTCHA systems available on the web right now. The key that identifies a challenge would be unique to the challenge; not the type of challenge being presented. Al said: <quote> My rough take on this is that content negotiation is an idea the market has rejected and it won't be back. Not until the mobile version with more subtle user preferences in CC/PP is up and running. The pieces of this technology are mostly in place. </quote> I would bow to your superior knowledge in this area, but that is not my take on the situation. My take is that content negotiation is an area that's only just beginning to gain popularity; particularly in the internationalisation community, where user-agents provide features that afford content negotiation based on the user's preferred language. Google have been doing this for years, with more and more sites beginning to follow suit. I am not aware of other areas where content negotiation is gaining popularity, so accept that you might be correct in your assertion, but thought that CAPTCHAs might be a good example where user preferences provided at the HTTP level might be helpful. Al said: <quote> So it's not actually available to users enough to meet the WCAG sense of 'widely supported' in their discussion of accessibility-supported technologies </quote> WCAG isn't so much concerned with how the user arrives at the content, but that the content the user receives is accessible according to WCAG 2.0. If the original version the user receives is accessible, then there isn't an issue. If the original version isn't accessible, then there just needs to be a mechanism to obtain an accessible version, which is what we were talking about at the start of this topic - providing ways of ensuring that users can receive content to their preferences, although I would always expect the primary content to be accessible. With regards to CAPTCHA, I can't help thinking that content negotiation is an excellent way of ensuring that users receive challenged in their preferred format, regardless of what the market response has been to date - providing content negotiation for CAPTCHA is supported by user agents (a big if for the future), and users take the time to set up their preferences (user responsibility). It would at least provide the content in the most appropriate format according to the user's preferences, and the author would still be responsible for ensuring the user had a chance to change that option. <quote> My current expectation is that we should be looking for something that is written out in a scripted web page so as to work in current browsers as the near-term existence proof of feasible and sufficient techniques. </quote> That would be the case, as the author should still provide a mechanism for the user to change the type of challenge - in the same way that a French version of a web page might be delivered to a user agent that was set up with an accept-language header that indicated a preference for French, but the author still offered various translations of the page. The important point is that the user originally receives something that most suited to their needs. Gez -- _____________________________ Supplement your vitamins http://juicystudio.com
Received on Monday, 16 July 2007 23:35:51 UTC