W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2007

Re: wsc-xit review comments

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Fri, 14 Dec 2007 16:18:23 -0500
Cc: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-Id: <4ED6DDAE-854E-46E4-858E-5944D295A269@mozilla.com>
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>

On 14-Dec-07, at 2:42 PM, Mary Ellen Zurko wrote:

>
> > 5.5.3 - As I understand it, this creates an inescapable  
> obligation on
> > user agents to store certificate history.  Aside from the challenge
> > that no major browser currently does this (as far as I know), this
> > creates privacy and implementation concerns around data  
> retention.  We
> > don't say how long this information must be kept, but we say the
> > browser MUST treat it as a change of security level, which does not
> > seem to leave open the possibility of not storing it.
>
> I read it as remembering those two states for sites visited  
> (strongly TLS protected and AA cert). Which isn't exactly the same  
> thing, is it?

Well, my point is that it means remembering anything at all for sites  
visited, which we in Firefox currently do only for a fixed period of  
time. The current language doesn't seem to anticipate that behaviour,  
but retaining that data forever, even if it is just a couple boolean  
states, is a pretty tall order.

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Friday, 14 December 2007 21:18:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:19 UTC