Re: wsc-xit review comments from Mary Ellen Zurko on 2007-12-14 (public-wsc-wg@w3.org from December 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 14 Dec 2007 14:42:46 -0500
To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
Cc: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <OF8BD329DF.13758EE0-ON852573B1.006BC5EC-852573B1.006C4965@LocalDomain>

> §5.5.3 - As I understand it, this creates an inescapable obligation on 
> user agents to store certificate history.  Aside from the challenge 
> that no major browser currently does this (as far as I know), this 
> creates privacy and implementation concerns around data retention.  We 
> don't say how long this information must be kept, but we say the 
> browser MUST treat it as a change of security level, which does not 
> seem to leave open the possibility of not storing it.

I read it as remembering those two states for sites visited (strongly TLS 
protected and AA cert). Which isn't exactly the same thing, is it?

Received on Friday, 14 December 2007 20:00:38 UTC