Re: [whatwg] Proposal: Locale Preferences API

[신정식, 申政湜]

2013/11/27 Boris Zbarsky 

> On 11/27/13 4:28 PM, Jungshik Shin (신정식, 申政湜) wrote:
>
>> That is, I suggest that 'navigator.language' always be the UI language of
>> a
>> web browser.
>>
>
> That's an unacceptable privacy leak from Mozilla's point of view.  See
> https://bugzilla.mozilla.org/show_bug.cgi?id=55366 where we explicitly
> switched from that to basing navigator.language on the Accept header.
>
>
Well, the vast majority of users would never touch A-L list. So, the top
entry in the A-L list would remain the default value, which is usually the
UI language. So, I don't know how much your change helps privacy if
revealing the UI language is indeed a valid privacy concern.

Jungshik




-Boris
>

Re: [whatwg] Proposal: Locale Preferences API

[신정식, 申政湜]

2013/11/27 Jukka K. Korpela 

> 2013-11-28 0:20, Boris Zbarsky wrote:
>
>  On 11/27/13 4:28 PM, Jungshik Shin (신정식, 申政湜) wrote:
>>
>>> That is, I suggest that 'navigator.language' always be the UI language
>>> of a
>>> web browser.
>>>
>>
>> That's an unacceptable privacy leak from Mozilla's point of view.  See
>> https://bugzilla.mozilla.org/show_bug.cgi?id=55366 where we explicitly
>> switched from that to basing navigator.language on the Accept header.
>>
>
> More importantly, I would say, the browser’s UI language should normally
> be completely irrelevant to page design and implementation.
>


>
> I might be using an English-language browser because there is no better
> option (localizations are lousy). This does not mean that when viewing a
> page in, say, German, I would want the page to talk to me in English, to
> use English-language month names in date controls and info, etc.
>
>

Sure. I don't disagree with you.  But, I have no idea what you wrote above
has anything to do with what I wrote, i.e navigator.language (singular)
containing the UI language and navigator.languages (plural)  matching the
Accept-Language HTTP header.

Jungshik



> Yucca
>
>
>

Re: [whatwg] Proposal: Locale Preferences API

[신정식, 申政湜]

The proposal looks good except for one reservation I have about. A few
years ago, we proposed a similar API to webkit-dev, but it's 'killed' there
and we didn't bring it up in whatwg (Chromium ended up adding an extension
API for that for Chrome extensions).

My reservation is :  it's not a good idea to "conflate" the browser's UI
language and the ordered list of preferred content languages
(Accept-Language).  Specifically, I think it's better to leave alone
'navigator.language' when the preferred list of languages is changed.


*2.1 If the first item of the lang list is not the same value as the value
of*
*the 'navigator' object's `language` attribute, update the `navigator`
object's `*
*attribute` to be the first item lang list.*

That is, I suggest that 'navigator.language' always be the UI language of a
web browser. When the 'preferred lang list' changes, it should NOT affect
'navigator.language' (singular) but ONLY updates 'navigator.languages'
(plural).

If 'language vs languages' is likely to cause confusion/errors, we might as
well choose to use 'preferredLanguages' or 'preferredContentLanguages' for
the latter.


Jungshik






2013/10/16 Erik Arvidsson 

> This looks very useful and the proposal looks solid.
>
>
> On Mon, Oct 14, 2013 at 6:43 PM, Ian Hickson  wrote:
>
> > On Mon, 14 Oct 2013, Marcos Caceres wrote:
> > >
> > > Ping?
> > >
> > > Mozilla would like to know if anyone else is interested or specially if
> > > people are NOT interested. We would like to implement this and expose
> it
> > > on the platform.
> > >
> > > See:  https://bugzilla.mozilla.org/show_bug.cgi?id=780953
> >
> > I was just looking at this, actually. I filed the following bug to track
> > it: https://www.w3.org/Bugs/Public/show_bug.cgi?id=23517
> >
> > Seems like a reasonable feature to me, FWIW.
> >
> > See also:
> >
> >Notification of change to navigator.language (locale change)
> >https://www.w3.org/bugzilla_public/show_bug.cgi?id=21289
> >
> >API to expose locale-specific settings
> >https://www.w3.org/Bugs/Public/show_bug.cgi?id=22679
> >
> >API to expose actual language of a node, to aid scripts doing
> >localisation and CJK editors during copy&paste and drag&drop
> >https://www.w3.org/Bugs/Public/show_bug.cgi?id=23512
> >
> > --
> > Ian Hickson   U+1047E)\._.,--,'``.fL
> > http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
> > Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
> >
>
>
>
> --
> erik
>

Re: [whatwg] window.cipher HTML crypto API draft spec

[신정식, 申政湜]

Thank you for the reply, David.

It's my mistake to send it without subscribing to the list. To avoid further
splitting the thread, I'm including below my original email here for others
to see (and to be archived).

BTW, while doing so, I'm adding a pointer to a chromium bug with some more
background on PKI and digital signing (in Korea and elsewhere) :
http://crbug.com/73226  (David has already found it and added a comment
there :-)).

Jungshik

2011/5/24 Ian Fette (イアンフェッティ) 

I personally find this to be a very interesting and potentially useful
> proposals. One of the problems that we / the web face is a legal requirement
> faced by many Asian banks (esp. Korea) to digitally sign all transactions.
> To meet this requirement, they use ActiveX controls, as the platform doesn't
> really give them the primitives they need. This seems like it should give
> them what they need, but I would be very interested in knowing whether
> there's more that would be needed or whether this would actually suffice.
>
>
The situation in Korea got a bit "better" recently in the sense that some
banks (or government agencies) now have a Firefox extension (with an xpcom
plugin), an npapi plugin, a Safari extension (on Mac OS only), and a Java
applet in addition to ActiveX controls (I can do online banking on Linux and
Mac ! :-)) . Obviously, this 'proliferation' of browser "plugins" is far
from ideal and it'd be great if there's a standard set of API to do what
these 'browser plugins' do.



> It would be good if we can figure out whether this is sufficient for e.g.
> Korean banking requirements, and if not, what else would be necessary. Does
> anyone have contacts with the relevant industry groups?
>
>
Earlier in the thread, JeffH mentioned the following. The first two threads
in his list  are relevant to on-line banking/e-commerce/government service
access in Korea and elsewhere.

While that's sorta interesting, there's various use cases that've been
mentioned in various places that the above proposed API doesn't necessarily
address..
Web Sigining in Action
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0898.html
Re: Web Sigining in Action
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0953.html
JS crypto? (and ensuing thread)
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0605.html
Re: Hash functions (and ensuing thread)
http://lists.w3.org/Archives/Public/public-webapps/2010OctDec/1041.html


It looks like what David proposed seems to be a good start, but I'm afraid
it's not sufficient yet to replace various browser-plugins/add-ons used for
digital sigining and certificate management (as is done in Korea). For
instance, Channy Yun (who's the leader of Mozilla Koran user group: I'm
copying to him) has the following proposal.

http://html5.creation.net/webcrypto-api/

It covers the generation of cert request, cert import, smart card event
handling (apparently, in China, smartcards are widely used for on-line
banking) in addition to signing text. 'keygen' (codified in html5) appears
to cover some of needs for cert request and cert issuance, but does not go
all the way (to be useful).

I also wonder what David's proposal has to do with another Mozilla effort in
the area : https://wiki.mozilla.org/Labs/Secret

Jungshik

2011/5/24 David Dahl 

>
> - Original Message -
> From: "Jungshik Shin (신정식, 申政湜)" 
> To: "Ian Fette" 
> Cc: "David Dahl" , "WHATWG Proposals" <
> whatwg@lists.whatwg.org>, cha...@gmail.com
> Sent: Tuesday, May 24, 2011 2:36:01 PM
> Subject: Re: [whatwg] window.cipher HTML crypto API draft spec
>
> Great insight into the situation in Korea, thanks!
>
> > It looks like what David proposed seems to be a good start, but I'm
> afraid
>  it's not sufficient yet to replace various browser-plugins/add-ons used
> for
>  digital sigining and certificate management (as is done in Korea). For
>  instance, Channy Yun (who's the leader of Mozilla Koran user group: I'm
>  copying to him) has the following proposal.
>
> > http://html5.creation.net/webcrypto-api/
>
> Thank you for the link. I need to read all of these ideas and specs.
>
> > It covers the generation of cert request, cert import, smart card event
>  handling (apparently, in China, smartcards are widely used for on-line
>  banking) in addition to signing text. 'keygen' (codified in html5) appears
>  to cover some of needs for cert request and cert issuance, but does not go
>  all the way (to be useful).
>
> yeah, keygen would be so much better as part of an API rather than being
> part of a , etc.
>
> > I also wonder what David's proposal has to do with