Re: [MIX] Initial feedback on Mixed Content

Thanks again! Here's a little additional commentary.

 21, 2014 at 11:48 PM, Brian Smith <> wrote:
>> Note that I'm not sure any browser other than Chrome implements the
>> logic for "deprecated TLS-protection."
I think Mozilla's SHA-1 deprecation flow will end up looking similar to
Chrome's. I don't know if that team in particular wants to start treating
SHA-1-protected resources as mixed content, but Chrome certainly plans to.

> But, effectively, all this really means is that the implementation may
>> choose to block a fetch for any implementation-defined reason.
To be precise, the implementation may choose to _distrust a TLS handshake_
for any implementation defined reason.

> This makes me think that the stuff regarding "deprecated TLS-protection"
>> can be removed too. Or, rather, perhaps it should be deferred until
>> deprecated TLS-protection is defined.
It's not clear that we can define it in a way that's not immediately
outdated, hence the open-ended definition. See for examples of
how that goes wrong over time.

I think it's always the case that we will need mechanisms for deprecating
cipher suites, signing algorithms, etc. I'm open to suggestions around
phrasing that requirement in a less vendor-specific way, but I'm reluctant
to remove it from the spec, as I do think it's a pretty reasonable concept
to enshrine in spec text.

> My understanding is you are planning to make changes (just removing
>> section 5? or more?) to the rest of the document, so I'll stop here
>> until you've done so.
Dropped the "powerful features" section now that it looks like we're
splitting that out into a separate document:

I don't think there's anything in particular planned for anything else in
the doc, so feel free to constructively tear it up!


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 24 November 2014 09:17:26 UTC