Re: ACTION-486: Rewrite section 5.4.3

On 11-Jun-08, at 4:59 PM, Yngve N. Pettersen (Developer Opera Software  
ASA) wrote:
> On Wed, 11 Jun 2008 21:01:10 +0200, Thomas Roessler <tlr@w3.org>  
> wrote:
>> Looks good to me.  I've dropped these into the current draft, with
>> some changes from "TLS-protected resource" to "TLS-secured page".
> Looks OK to me, although I would have preferred 5.4.4 to use "MUST".  
> A particular reason for my view is that MSIE7 (at least) is no  
> longer warning about this, and that I have seen hotel wireless  
> network logons using this method. True, SHOULD is almost MUST, but...

My thought process here was that SHOULD suggests that user agents  
really ought to consider this, but also implicitly acknowledges our  
security considerations about warning fatigue and the like.  I agree  
that this is problematic behaviour, and we should definitely recommend  
against it (maybe even with MUST language) in the guidance to site  
authors document, but I think for user agents we have to be very  
careful about every MUST-level error/warning, given that we also  
counsel implementors against having too many of them.

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Wednesday, 11 June 2008 21:58:14 UTC