Re: [MIX]: "Assumed"/"Proven" Terminology.

[Note: I'm not actually subscribed to public-webappsec, please cc: me
if you want me to comment.]

> Your interpretation is exactly what I was trying to express. We need one
> check that we can do before making a network connection ("Is it HTTP? Skip
> it."), and one check we can do after the TLS-handshake ("You want to use
> DH_anon? Really?").
> The terminology I started with was "a priori insecure" and "a posteriori
> insecure"[1]. I assumed that was too Kantian for a spec, but since you also
> landed on that distinction, I'm going to run with something like it. :)

I am happy with the new wording. The only further change I might
suggest is to give an example for "weakly TLS-protected"; especially
because that term's defined by reference to another spec, it needs
additional in-clueing.


Received on Tuesday, 10 June 2014 18:58:09 UTC