Re: ISSUE-245: Do not require HTTPS URI for strong TLS protection from Mary Ellen Zurko on 2010-04-16 (public-wsc-wg@w3.org from April 2010)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 16 Apr 2010 11:19:53 -0400
To: Thomas Roessler <tlr@w3.org>
Cc: public-wsc-wg@w3.org
Message-ID: <OF7DF3533E.6C2E489F-ON85257707.005403FB-85257707.00540CE4@LocalDomain>

Here's my drafted response to that LC comment:

http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382

I will send it out later today. 





From:   Thomas Roessler <tlr@w3.org>
To:     "Mary Ellen Zurko" <mzurko@us.ibm.com>
Cc:     Thomas Roessler <tlr@w3.org>, "Mary Ellen Zurko" 
<Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
Date:   04/16/2010 10:13 AM
Subject:        Re: ISSUE-245: Do not require HTTPS URI for strong TLS 
protection



Done.  I suggest we keep the change to the security considerations that I 
had made in connection with this.

Regads,
--
Thomas Roessler, W3C  <tlr@w3.org>







On 16 Apr 2010, at 16:09, Mary Ellen Zurko wrote:

Sold.

Consensus declared.

Thomas, please revert us to the CR text on this. tx. 

          Mez





From:        Mary Ellen Zurko/Westford/IBM@Lotus
To:        public-wsc-wg@w3.org
Date:        04/12/2010 02:02 PM
Subject:        Re: ISSUE-245: Do not require HTTPS URI for strong TLS 
protection
Sent by:        public-wsc-wg-request@w3.org



Going once, going twice....

(anyone with any issues with the CR text and reasoning in this thread?)

From: Joe Steele <steele@adobe.com> 
Date: Fri, 9 Apr 2010 10:33:13 -0700
To: Thomas Roessler <tlr@w3.org> 
CC: "ifette@google.com" <ifette@google.com>, Web Security Context Working 
Group WG <public-wsc-wg@w3.org> 
Message-ID: <6BBBE705-5FD5-4B51-9ACF-8FCFB1B6EF60@adobe.com> 

I am fine with the CR version of this text. 

On Apr 9, 2010, at 9:56 AM, Thomas Roessler wrote:

> Ian Fette (イアンフェッティ) wrote:
>> I am very unhappy about this. I personally think it would be confusing 
to
>> users to see e.g. EV indication with an http URL. Users have no way of
>> knowing what the heck is going on here with upgrade, and furthermore 
are
>> likely to think they are secure when they just cut and paste in that 
URL
>> (since the upgrade will start on server response, as opposed to the 
client
>> expecting TLS/SSL from the start.)
>> 
>> If a site wants to use upgrade for whatever reason, fine, but if they 
want
>> the full SSL UI IMO they should instead do a
>> 
>> HTTP/1.1 301 Moved Permanently
>> Location: https://www.example.org/

>> 
>> I am not in favor of this change to WSC-UI, and think we should reject 
the
>> proposal in [2] and instead leave the spec as it was.
> 
> I can live with either following [2] or returning to the CR version on 
this 
> particular language.
> 
> I will note that, during the call, we didn't consider the UI 
implications of 
> not having an https URI, so I'm in favor of discussing that aspect, even 

> though it (strictly speaking) implies reopening the issue.
> 
> 
> 
>> Am 9. April 2010 08:22 schrieb Web Security Context Working Group Issue
>> Tracker<sysbot+tracker@w3.org<sysbot%2Btracker@w3.org>>:
>> 
>>> ISSUE-245: Do not require HTTPS URI for strong TLS protection
>>> 
>>> http://www.w3.org/2006/WSC/track/issues/245

>>> 
>>> Raised by: Thomas Roessler
>>> On product:
>>> 
>>> In LC-2382 [1], it was noted that the definition of "strongly 
protected TLS
>>> connections" required use of an HTTPS URI. For detailed discussion, 
see [2].
>>> 
>>> The WG decided during its call on 2010-03-31 [3] to accept the 
proposal in
>>> [2].
>>> 
>>> 1.
>>> 
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382


>>> 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2010Apr/0009.html

>>> 3. http://www.w3.org/2010/03/31-wsc-minutes.html

>>> 
>>> 
>>> 
>>> 
>> 
> 
>

Received on Friday, 16 April 2010 15:18:48 UTC