- From: Luis Barriga <luis.barriga@ericsson.com>
- Date: Fri, 21 Dec 2007 14:36:56 +0100
- To: <public-wsc-wg@w3.org>
As agreed at the latest meeting, my comments to the draft from November 28th. 4.2.2 Attacks ------------- Why is the whack-a-mole attack the only attack mentioned here? There are other attacks too. Shouldn't this section me moved to the threat trees document? Or maybe this section should also refer to the Threat Trees document? 5.0 Applying TLS to the Web ---------------------------- Which version of TLS is the draft assuming? RFC2818 (HTTP over TLS) is informational which in turn refers to TLS 1.0 (RFC2246) obsoleted by 1.1 that will be obsoleted by v1.2 (RFC4346). One of the additions to the new TLS is that pre-shared keys (PSK) can be used for establishing a TLS session. It is open for future discussion whether we class this type of transaction as weak or strong TLS. 5.3.6 Interactively accepting trust anchors or certificates ----------------------------------------------------------- The definition of "interactively accepted" trust anchor (TA) or cert excludes the case when a user installs a TA/Cert as a primary task. I recall having seen cases in enterprises where employees receive directives on how to update roots/certs. Also, when I update the OS in my home PC, some certs are updated too. Whether that is done as primary or secondary task doesn't look relevant to me, since the result is the same. I suggest to let the definition focusing on that the user is involved providing explicit consent to install TA/Cert. 9.2 Use TLS for Login Pages --------------------------- Current text is: "All login pages MUST be served from secure servers ie. login pages must be TLS protected" Shouldn't that be "login pages must be strongly TLS-protected"? 9.5 Security Experience Across Devices -------------------------------------- I have commented this section previously. See http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0015.html I include those comments sligthly rephrased for better readibility. Current text>> "Web content SHOULD be designed offer the same security user experience across ..." Web content designers can't control user experience (UX) which is largely defined by the browser. Asking for the *same* UX is non-desirable. The web content designer can only control trust anchor and TLS consistency. Proposal to rephrase to: Proposal>> "Web content SHOULD be designed offer the same trust and TLS consistency across ..." Current text>>"Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities, or diverging sets of trust anchors" luis>> As phrased, "diverging sets of trust anchors" looks like an alternative to "constrained capabilities". In reality, the divergence a consequence of constrained capabilities: Proposal>>"Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities e.g. diverging sets of trust anchors or limited cryptographic mechanisms" Typos ----- Occured >> occurred Atttested >> attested 6.3 "... provide a a primary "
Received on Friday, 21 December 2007 13:37:06 UTC