W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Initial feedback on Mixed Content

From: Mike West <mkwst@google.com>
Date: Mon, 24 Nov 2014 10:16:37 +0100
Message-ID: <CAKXHy=dsYXWg2S0xM-vi3KgW9Ot9uUD3e0=JM05nKDyNJXoxWA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Jake Archibald <jakearchibald@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks again! Here's a little additional commentary.

 21, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> Note that I'm not sure any browser other than Chrome implements the
>> logic for "deprecated TLS-protection."
>
>
I think Mozilla's SHA-1 deprecation flow will end up looking similar to
Chrome's. I don't know if that team in particular wants to start treating
SHA-1-protected resources as mixed content, but Chrome certainly plans to.


> But, effectively, all this really means is that the implementation may
>> choose to block a fetch for any implementation-defined reason.
>
>
To be precise, the implementation may choose to _distrust a TLS handshake_
for any implementation defined reason.


> This makes me think that the stuff regarding "deprecated TLS-protection"
>> can be removed too. Or, rather, perhaps it should be deferred until
>> deprecated TLS-protection is defined.
>>
>
It's not clear that we can define it in a way that's not immediately
outdated, hence the open-ended definition. See
http://www.w3.org/TR/2010/REC-wsc-ui-20100812/#typesoftls for examples of
how that goes wrong over time.

I think it's always the case that we will need mechanisms for deprecating
cipher suites, signing algorithms, etc. I'm open to suggestions around
phrasing that requirement in a less vendor-specific way, but I'm reluctant
to remove it from the spec, as I do think it's a pretty reasonable concept
to enshrine in spec text.


> My understanding is you are planning to make changes (just removing
>> section 5? or more?) to the rest of the document, so I'll stop here
>> until you've done so.
>>
>
Dropped the "powerful features" section now that it looks like we're
splitting that out into a separate document:
https://github.com/w3c/webappsec/commit/52a9881829877ebe7ee9a7aad340f873d9b99210

I don't think there's anything in particular planned for anything else in
the doc, so feel free to constructively tear it up!

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 24 November 2014 09:17:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC