Under "4.2.1 Protect Personal Information Used in Transactions":

The earlier version (20080522) had guidance on methods of information security other than HTTPS in the paragraph "When they are provided by the user or user-agent, user identities should only be exchanged between user-agent and content server using secure methods (e.g. HTTPS), or as securely hashed information (e.g. included as URL parameters, POST data, or cookies). To avoid the overhead of using HTTPS for all transactions, a related pseudo-identity or secure hash of the actual identity can be exchanged in non-secure transactions." The current draft simply says "a related pseudo-identity or secure hash of the actual identity can be exchanged".

The available methods of such exchange may be unclear to developers, and the considerations around the various techniques would benefit from further discussion. If anything I would like to see us *expand* the description of sending secure information as URL parameters and POST (form) data, or other methods as called for in the current draft note.

Best regards,

Bryan Sullivan | AT&T