ISSUE-136: Allow new established patterns to redefine what's expected in terms of strong TLS protection [wsc-xit] from Web Security Context Working Group Issue Tracker on 2007-12-14 (public-wsc-wg@w3.org from December 2007)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Fri, 14 Dec 2007 22:05:18 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20071214220518.3913CC6DB0@barney.w3.org>

ISSUE-136: Allow new established patterns to redefine what's expected in terms of strong TLS protection [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Mary Ellen Zurko
On product: wsc-xit

5.5.3

"Web user agents that have found a resource strongly TLS protected during past interactions MUST consider an interaction with the same resource as a change of security level if that interaction is not strongly TLS protected. "

I believe the "during past interactions" to be stronger than we intend. It seems to include a site that used to be strongly TLS protected long ago, changed over to a self signed cert, and even after the probation period. I would argue that a new pattern has been established by then, therefore there is no change in security level.

Received on Friday, 14 December 2007 22:05:25 UTC