- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Fri, 14 Dec 2007 16:18:23 -0500
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Received on Friday, 14 December 2007 21:18:45 UTC
On 14-Dec-07, at 2:42 PM, Mary Ellen Zurko wrote: > > > §5.5.3 - As I understand it, this creates an inescapable > obligation on > > user agents to store certificate history. Aside from the challenge > > that no major browser currently does this (as far as I know), this > > creates privacy and implementation concerns around data > retention. We > > don't say how long this information must be kept, but we say the > > browser MUST treat it as a change of security level, which does not > > seem to leave open the possibility of not storing it. > > I read it as remembering those two states for sites visited > (strongly TLS protected and AA cert). Which isn't exactly the same > thing, is it? Well, my point is that it means remembering anything at all for sites visited, which we in Firefox currently do only for a fixed period of time. The current language doesn't seem to anticipate that behaviour, but retaining that data forever, even if it is just a couple boolean states, is a pretty tall order. Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Friday, 14 December 2007 21:18:45 UTC