W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2007

ISSUE-145: WhatIsASecurePage not fully incorporated [wsc-xit]

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 17 Dec 2007 10:40:53 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20071217104053.AE97D5F70A@stu.w3.org>


ISSUE-145: WhatIsASecurePage not fully incorporated [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Yngve Pettersen
On product: wsc-xit

This issue tracks the points raised in this message:
  http://www.w3.org/mid/op.t225ya12qrq7tp@nimisha.oslo.opera.com


http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage                                                           
                                                                                                            
AFAICT, the following recommendations are not yet in wsc-xit, or possibly not sufficiently covered.         
                                                                                                            
  #6/#16: all-EV site (or in new nomenclature: all-AA sites).                                               
                                                                                                            
  #12: Delayed security level change (mostly to upgrade security level, despite unsecure loading). May      
be covered by current security level change language.                                                       
                                                                                                            
More radical proposals not included                                                                         
                                                                                                            
  #8: Forbid mixing of non-TLS-protected content in TLS-protected webpages                                  
                                                                                                            
  #10: Forbid unsecure->secure password submit by clients                                                   
                                                                                                            
  #11: secure->Unsecure POST submits                                                                        
                                                                                                            
  #13: Treat https-part of URL as a security indicator (also, relevant in relation to "Chinese              
whispers"-robustness, ACTION-347)                                                                           
Received on Monday, 17 December 2007 10:41:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:19 UTC