- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 28 Jan 2009 17:37:04 +0000
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
I recommend we extend section 8.6 "Mixing Augmented Assurance and Validated Certificates" with the following paragraph: """ Under the browser's Same Origin policy, separately displayed webpages from the same origin can freely read and modify each other's state. A webpage's origin is comprised of the scheme, host and port of the URL used to retrieve the webpage. The origin does not take into account any attributes of the TLS session or server certificate used when retrieving a webpage. This document recommends presentation of the security attributes of the TLS session used to retrieve a webpage. If separate webpages are retrieved using separate TLS sessions, their security presentations may differ, even though neither page can be trusted any more than the other. For example, consider a user agent that has loaded two webpages from https://www.example.com/. When the first page was retrieved, an Augmented Assurance Certificate (AAC) was used by the TLS session. When the second page was retrieved, a different certificate, such as a domain validated or self-signed certificate, was used. Though the first page was retrieved using an AAC certificate, it should not be trusted any more than the second page, since the second page can freely read and write the first page. Differing security presentations of the two pages may obscur this relationship in the mind of the user. """ This email completes ACTION-509. --Tyler
Received on Wednesday, 28 January 2009 17:38:24 UTC