- From: Zack Weinberg <zackw@cmu.edu>
- Date: Tue, 10 Jun 2014 14:57:45 -0400
- To: Mike West <mkwst@google.com>
- Cc: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
[Note: I'm not actually subscribed to public-webappsec, please cc: me
if you want me to comment.]
> Your interpretation is exactly what I was trying to express. We need one
> check that we can do before making a network connection ("Is it HTTP? Skip
> it."), and one check we can do after the TLS-handshake ("You want to use
> DH_anon? Really?").
>
> The terminology I started with was "a priori insecure" and "a posteriori
> insecure"[1]. I assumed that was too Kantian for a spec, but since you also
> landed on that distinction, I'm going to run with something like it. :)
I am happy with the new wording. The only further change I might
suggest is to give an example for "weakly TLS-protected"; especially
because that term's defined by reference to another spec, it needs
additional in-clueing.
zw
Received on Tuesday, 10 June 2014 18:58:09 UTC