W3C home > Mailing lists > Public > public-usable-authentication@w3.org > March 2010

Don't favour https

From: Krzysztof Maczyński <1981km@gmail.com>
Date: Fri, 12 Mar 2010 15:40:02 +0100
Message-ID: <D4569F365CCB49B6A29F8664BBF3B3AF@kmPC>
To: <public-usable-authentication@w3.org>
Dear WG,

Section 5.2 of Web Security Context: User Interface Guidelines seems to favour the https scheme over http used with TLS as specified by RFC 2817. On the other hand, the W3C Director, TAG, IANA and other parties have indicated many times that URI schemes should be employed only if they enable identifying with URIs a class of resources semantically distinct from what other schemes already cover. Security characteristics of access to a resource are orthogonal to the identity of the resource itself (proof: the same resource can be made available by both means). Therefore, https is redundant and SHOULD NOT be used, since its range coincides with that of http. Please redefine “strongly TLS-protected” to include http with RFC 2817.

Best regards,

Krzysztof Maczyński
Invited Expert, HTML WG
Received on Friday, 12 March 2010 14:40:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:16 UTC