Re: wsc-xit review comments

> §5.5.3 - As I understand it, this creates an inescapable obligation on 
> user agents to store certificate history.  Aside from the challenge 
> that no major browser currently does this (as far as I know), this 
> creates privacy and implementation concerns around data retention.  We 
> don't say how long this information must be kept, but we say the 
> browser MUST treat it as a change of security level, which does not 
> seem to leave open the possibility of not storing it.

I read it as remembering those two states for sites visited (strongly TLS 
protected and AA cert). Which isn't exactly the same thing, is it? 

Received on Friday, 14 December 2007 20:00:38 UTC