W3C home > Mailing lists > Public > public-wsc-wg@w3.org > June 2008

Re: ACTION-486: Rewrite section 5.4.3

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Wed, 11 Jun 2008 17:57:31 -0400
Message-Id: <1FAC468C-2C99-490B-8B1F-48633AD7E389@mozilla.com>
To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>

On 11-Jun-08, at 4:59 PM, Yngve N. Pettersen (Developer Opera Software  
ASA) wrote:
> On Wed, 11 Jun 2008 21:01:10 +0200, Thomas Roessler <tlr@w3.org>  
> wrote:
>> Looks good to me.  I've dropped these into the current draft, with
>> some changes from "TLS-protected resource" to "TLS-secured page".
> Looks OK to me, although I would have preferred 5.4.4 to use "MUST".  
> A particular reason for my view is that MSIE7 (at least) is no  
> longer warning about this, and that I have seen hotel wireless  
> network logons using this method. True, SHOULD is almost MUST, but...

My thought process here was that SHOULD suggests that user agents  
really ought to consider this, but also implicitly acknowledges our  
security considerations about warning fatigue and the like.  I agree  
that this is problematic behaviour, and we should definitely recommend  
against it (maybe even with MUST language) in the guidance to site  
authors document, but I think for user agents we have to be very  
careful about every MUST-level error/warning, given that we also  
counsel implementors against having too many of them.

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Wednesday, 11 June 2008 21:58:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 11 June 2008 21:58:15 GMT