[fwd] Re: Web Security Context: User Interface Guidelines (from: timeless@gmail.com) from Thomas Roessler on 2008-08-06 (public-usable-authentication@w3.org from August 2008)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 6 Aug 2008 18:30:50 +0200
To: public-usable-authentication@w3.org
Cc: timeless@gmail.com
Message-ID: <20080806163050.GX4194@iCoaster.does-not-exist.org>

Archiving, with permission.
-- 
Thomas Roessler, W3C  <tlr@w3.org>






----- Forwarded message from timeless <timeless@gmail.com> -----

From: timeless <timeless@gmail.com>
To: Thomas Roessler <tlr@w3.org>
Date: Wed, 6 Aug 2008 18:34:13 +0300
Subject: Re: Web Security Context: User Interface Guidelines
Reply-To: timeless@gmail.com
X-Spam-Level: 
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.500000, version=1.1.6

http://www.w3.org/TR/2008/WD-wsc-ui-20080724/

> user agents, such as plugins, extensions, and others; they are summarily called
> plug-ins, extensions, call outs to external systems which render particular document

plugins/plug-ins (English favors the latter, coders are lazy and use
the former, please pick one :))

> behavior might be determined by scripting, stylesheets, and other mechanisms.

and => or

> anchor is authoritative. Relying parties use trust anchors to determine if digitally

is "Relying parties" a _defined_ term? it seems awkward otherwise....

> Trust anchor installation is typically handled by Web user agent vendors ,systems

the , is on the wrong side of the space

> trust anchor update is therefore often handled as part of Web user agent or operating system software update.

update => updates

> for a single session, sometimes for all future sessions involving that certificate.

Firefox 3 ties a certificate to a host+port.

> some process that adheres to the requirements of an augmented asurance specification

assurance

> user agents MUST NOT consider the certificate as an augmented assurance certificate,

is there some reason not to write AAC or Augmented Assurance Certificate?

> [Definition: An HTTP transaction is strongly TLS-protected if it is TLS-protected, an https URL was used, strong TLS algorithms were negotiated for both confidentiality and integrity protection, and one of the following conditions are true:]

the transaction is not the result of a transaction which is not
strongly TLS-protected.

> warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages) MUST be used.

 above? you're in 5.4.2...
I think you mean "higher" or "greater". Above in a document to me
means printed document order (closer to top) and not some more
abstract thing.

> 5.4.3 Redirection chains

> a user agent such as a smart phone, air plane seatback or TV set which has a usage

individual LCD screens on airplanes

>       Subject logotypes derived from certificates SHOULD NOT be rendered, unless the certificate used is an augmented assurance certificate.

why is this a should not instead of a must not?

(i ran out of energy and am sending this now, hopefully it's useful)



----- End forwarded message -----

Received on Wednesday, 6 August 2008 16:31:26 UTC