ACTION-385: Changes to section 9.3

As agreed at the face-to-face, I've put the following text into
section 9.3:

  If a web application solicits a secret, such as a password, over
  TLS, then it MUST always transmit that secret using that level of
  protection or better.Any derived secret that convey a similar
  level of authority as the original secret it MUST also be
  protected at the same level as the original secret. Other derived
  secrets SHOULD also be given the same protection. Sensitive
  transactions also MUST be protected using the same level of
  protection.
  
  In a web-application, a secret may be used to authorize a
  transaction. The details of that transaction SHOULD also be
  transmitted using the same level of protection afforded the secret
  itself.

  -- http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-consistency

Also, according to the minutes [1], Mez declared ISSUE-162 moot with
this edit, so I've taken the liberty to mark it as closed in
tracker.

1. http://www.w3.org/2008/02/05-wsc-minutes.html#e
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 27 February 2008 13:32:23 UTC