- From: Luis Barriga <luis.barriga@ericsson.com>
- Date: Tue, 6 Nov 2007 19:57:49 +0100
- To: <public-wsc-wg@w3.org>
Two comments: Now>>"Web content SHOULD be designed offer the same security user experience across ..." luis>> Web content designers can control user experience (UX) which is largely defined by the browser. Asking for the *same* UX is non-desirable. The web content designer can only control trust anchor and TLS consistency. Proposal to rephrase to: New>> "Web content SHOULD be designed offer the trust and TLS consistency across ..." Now>>"Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities, or diverging sets of trust anchors" luis>> Diverging sets of trust anchors is a consequence of, not an alternative to, constrained capabilities. Proposal to rephrase to: New>>"Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities e.g. diverging sets of trust anchors or limited cryptographic mechanisms" -----Original Message----- From: public-wsc-wg-request@w3.org on behalf of Thomas Roessler Sent: Mon 2007-11-05 18:10 To: WSC WG Subject: Proposal for ISSUE-130: TLS across multiple devices I've done some word-smithing on ISSUE-130 in the spirit of our discussion, and after looking at some of the MWBP material. Here it is: http://www.w3.org/2006/WSC/drafts/rec/#tls-across-devices Web content SHOULD be designed offer the same security user experience across different user agents and devices. Web site owners SHOULD perform tests of the TLS security and trust features of their site on various devices. Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities, or diverging sets of trust anchors. These limitations can usually be addressed in ways that preserve security without hurting the user experience on either device. In particular, Web sites can often avoid designing to revert to an insecure state instead, blocking mobile access, or leaving trust decisions to the user. Thoughts? -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 6 November 2007 19:01:15 UTC