W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: ISSUE-26 OPEN "currently deployed security information"

From: Close, Tyler J. <tyler.close@hp.com>
Date: Fri, 27 Apr 2007 21:22:53 -0000
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AFA57B13@G3W0072.americas.hpqcorp.net>
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>

Thomas' suggested rewording is:

"""
In section 5.4 ("new security information"), the note stipulates that
"Recommendations will only be made for the presentation of currently
deployed
security information."  I find myself struggling with what that phrase
might
mean, and in considering the charters language ("new protocols out of
scope"), I
would rather say that we'll limit ourselves to, e.g., "security
information that
can be made available within the currently deployed protocol framework."
"""

I think you could drive a truck through this new wording.

I recall there being strong consensus that we didn't want to dream up
new security information we would like to have and then make
recommendations that depend upon that new information. Such information
could be made available as additional X.509 certificate attributes and
so be "made available within the currently deployed protocol framework".

If we want to ensure that EV certificates aren't disqualified by the
current wording, I suggest expanding upon the "currently deployed"
qualifier in such a way as to ensure the inclusion of EV.

I think I recall Phil at one point claiming that all Verisign certs are
EV certs, and always have been. Such a claim certainly crosses the
"currently deployed" threshold, in which case, there's no need for an
edit.

I'd like to discuss this edit some more, and so consider this post as
refreshing Mez's one-stale-week consensus barometer. ;)

Tyler
Received on Friday, 27 April 2007 21:24:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT