Re: Don't favour https ( LC-2382) from mzurko@us.ibm.com on 2010-04-23 (public-usable-authentication@w3.org from April 2010)

From: <mzurko@us.ibm.com>
Date: Fri, 23 Apr 2010 12:31:56 +0000
To: Krzysztof Maczy??ski <1981km@gmail.com>
Cc: public-usable-authentication@w3.org
Message-Id: <E1O5I32-0001OC-Rf@wiggum.w3.org>

 Dear Krzysztof Maczyński ,

The Web Security Context Working Group has reviewed the comments you sent
[1] on the Last Call Working Draft [2] of the Web Security Context: User
Interface Guidelines published on 9 Mar 2010. Thank you for having taken
the time to review the document and to send us comments!

The Working Group's response to your comment is included below, and has
been implemented in the new version of the document available at:
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html.

Please review it carefully and let us know by email at
public-usable-authentication@w3.org if you agree with it or not before 30
April 2010 (Arbor Day). In case of disagreement, you are requested to
provide a specific solution for or a path to a consensus with the Working
Group. If such a consensus cannot be achieved, you will be given the
opportunity to raise a formal objection which will then be reviewed by the
Director during the transition of this document to the next stage in the
W3C Recommendation Track.

Thanks,

For the Web Security Context Working Group,
Thomas Roessler
W3C Staff Contact

 1. http://www.w3.org/mid/D4569F365CCB49B6A29F8664BBF3B3AF@kmPC
 2. http://www.w3.org/TR/2010/WD-wsc-ui-20100309/


=====

Your comment on 5.2 Types of TLS:
> Dear WG,
> 
> Section 5.2 of Web Security Context: User Interface Guidelines seems to
> favour the https scheme over http used with TLS as specified by RFC
> 2817. On the other hand, the W3C Director, TAG, IANA and other parties
> have indicated many times that URI schemes should be employed only if
> they enable identifying with URIs a class of resources semantically
> distinct from what other schemes already cover. Security characteristics
> of access to a resource are orthogonal to the identity of the resource
> itself (proof: the same resource can be made available by both means).
> Therefore, https is redundant and SHOULD NOT be used, since its range
> coincides with that of http. Please redefine “strongly
> TLS-protected” to include http with RFC 2817.
> 
> Best regards,
> 
> Krzysztof Maczyński
> Invited Expert, HTML WG


Working Group Resolution (LC-2382):
We have discussed this. Since we deal with users and the user interface,
we have taken into consideration user impacts. It would be confusing to
users to see an indication of TLS security, such as augmented assurance
(such as with EV) certificates, and an http: URI. This could be further
exacerbated through copy/pasting the URI. We did however change 8.7 to
refer to "TLS-protected HTTP" instead of "HTTPS". 

----

Received on Friday, 23 April 2010 12:31:58 UTC