- From: Mike West <mkwst@google.com>
- Date: Mon, 24 Nov 2014 10:16:37 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: Jake Archibald <jakearchibald@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dsYXWg2S0xM-vi3KgW9Ot9uUD3e0=JM05nKDyNJXoxWA@mail.gmail.com>
Thanks again! Here's a little additional commentary. 21, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote: > >> Note that I'm not sure any browser other than Chrome implements the >> logic for "deprecated TLS-protection." > > I think Mozilla's SHA-1 deprecation flow will end up looking similar to Chrome's. I don't know if that team in particular wants to start treating SHA-1-protected resources as mixed content, but Chrome certainly plans to. > But, effectively, all this really means is that the implementation may >> choose to block a fetch for any implementation-defined reason. > > To be precise, the implementation may choose to _distrust a TLS handshake_ for any implementation defined reason. > This makes me think that the stuff regarding "deprecated TLS-protection" >> can be removed too. Or, rather, perhaps it should be deferred until >> deprecated TLS-protection is defined. >> > It's not clear that we can define it in a way that's not immediately outdated, hence the open-ended definition. See http://www.w3.org/TR/2010/REC-wsc-ui-20100812/#typesoftls for examples of how that goes wrong over time. I think it's always the case that we will need mechanisms for deprecating cipher suites, signing algorithms, etc. I'm open to suggestions around phrasing that requirement in a less vendor-specific way, but I'm reluctant to remove it from the spec, as I do think it's a pretty reasonable concept to enshrine in spec text. > My understanding is you are planning to make changes (just removing >> section 5? or more?) to the rest of the document, so I'll stop here >> until you've done so. >> > Dropped the "powerful features" section now that it looks like we're splitting that out into a separate document: https://github.com/w3c/webappsec/commit/52a9881829877ebe7ee9a7aad340f873d9b99210 I don't think there's anything in particular planned for anything else in the doc, so feel free to constructively tear it up! -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 24 November 2014 09:17:26 UTC