- From: <mzurko@us.ibm.com>
- Date: Fri, 09 Jan 2009 20:03:03 +0000
- To: Sigbjørn Vik <sigbjorn@opera.com>
- Cc: public-usable-authentication@w3.org
Dear Sigbjørn Vik , The Web Security Context Working Group has reviewed the comments you sent [1] on the Last Call Working Draft [2] of the Web Security Context: User Interface Guidelines published on 24 Jul 2008. Thank you for having taken the time to review the document and to send us comments! The Working Group's response to your comment is included below. Please review it carefully and let us know by email at public-usable-authentication@w3.org if you agree with it or not before 26 January 2009. In case of disagreement, you are requested to provide a specific solution for or a path to a consensus with the Working Group. If such a consensus cannot be achieved, you will be given the opportunity to raise a formal objection which will then be reviewed by the Director during the transition of this document to the next stage in the W3C Recommendation Track. Thanks, For the Web Security Context Working Group, Thomas Roessler W3C Staff Contact 1. http://www.w3.org/mid/op.ugx9ttio41y844@id-c0735.oslo.opera.com 2. http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ ===== Your comment on 5.4.1 TLS errors: > A couple of comments regarding the wording of a paragraph. > > "User agents SHOULD store the state of certificates that were > previously > encountered. (specifically, whether or not a site previously presented > a > validated certificate). Historical TLS information stored for the > purposes > of evaluating security relevant changes of behavior MAY be expunged > from > the user agent on the same schedule as other browsing history > information.. > Historical TLS information MUST NOT be expunged prior to other browsing > > history information. For purposes of this requirement, browsing history > > information includes visit logs, bookmarks, and information stored in a > > user agent cache." > > This sentence requires UAs to store the certificate information until > > other browsing history information (specifically bookmarks) is deleted. > As > we know that users never delete their bookmarks, the conclusion must be > > that the certificate information can never be deleted. > > The intention should be that the certificate information gets stored > along > with other historical data as long as the user/UA keeps this around. > Bookmarks in themselves are not historical data, though bookmarks may > > contain historical data such as time created, last visited, favicons > (the > favicon might contain a timestamp) and other. Different types of > historical data might be treated by a UA in different ways (expunged at > > different schedules for instance), so treating certificate data the > same > way as all the other types might not be possible. > > I propose a rewrite and clarification of the paragraph, particularily > with > the intention. As the paragraph stands now, a UA cannot let the user > manually expunge certificate information only, as this would be in > violation of the MUST NOT clause. Proposal follows: > > "User agents SHOULD store the state of certificates that were > previously > encountered. Such state would typically include at least whether or not > > the certificate the site presented was valid, and may also include what > > the issues were with it (if any), protocol information, a fingerprint > of > the certificate and any other information for the purposes of > evaluating > security relevant changes of behavior. This information MUST be treated > by > the user agent under the same privacy and caching policies as other > browsing history information, such as visit logs, timestamps in > bookmarks, > cookies, and information stored in the user agent cache." Working Group Resolution (LC-2092): Thank you. We have removed a number of items in wsc-ui due to lack of implementation and testing, and this is one of the items that has been removed. ----
Received on Friday, 9 January 2009 20:03:13 UTC