W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [MIX]: "Assumed"/"Proven" Terminology.

From: Zack Weinberg <zackw@cmu.edu>
Date: Tue, 10 Jun 2014 14:57:45 -0400
Message-ID: <CAKCAbMidKqx8XeAOmMyAkgS1Si540x2TJ_SVs96mmbBUN3_d4A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
[Note: I'm not actually subscribed to public-webappsec, please cc: me
if you want me to comment.]

> Your interpretation is exactly what I was trying to express. We need one
> check that we can do before making a network connection ("Is it HTTP? Skip
> it."), and one check we can do after the TLS-handshake ("You want to use
> DH_anon? Really?").
>
> The terminology I started with was "a priori insecure" and "a posteriori
> insecure"[1]. I assumed that was too Kantian for a spec, but since you also
> landed on that distinction, I'm going to run with something like it. :)

I am happy with the new wording. The only further change I might
suggest is to give an example for "weakly TLS-protected"; especially
because that term's defined by reference to another spec, it needs
additional in-clueing.

zw
Received on Tuesday, 10 June 2014 18:58:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC