RE: Proposal for ISSUE-130: TLS across multiple devices from Luis Barriga on 2007-11-06 (public-wsc-wg@w3.org from November 2007)

From: Luis Barriga <luis.barriga@ericsson.com>
Date: Tue, 6 Nov 2007 19:57:49 +0100
To: <public-wsc-wg@w3.org>
Message-ID: <1C6A13C92F510849B72272A71F9F3BCB0F8F56@esealmw105.eemea.ericsson.se>

Two comments:

Now>>"Web content SHOULD be designed offer the same security user experience across ..."

luis>> Web content designers can control user experience (UX) which is largely defined by the browser. Asking for the *same* UX is non-desirable. The web content designer can only control trust anchor and TLS consistency. Proposal to rephrase to: 

New>> "Web content SHOULD be designed offer the trust and TLS consistency across ..."

Now>>"Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities, or diverging sets of trust anchors"

luis>> Diverging sets of trust anchors is a consequence of, not an alternative to, 
constrained capabilities. Proposal to rephrase to:

New>>"Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities e.g. diverging sets of trust anchors or limited cryptographic mechanisms"


-----Original Message-----
From: public-wsc-wg-request@w3.org on behalf of Thomas Roessler
Sent: Mon 2007-11-05 18:10
To: WSC WG
Subject: Proposal for ISSUE-130: TLS across multiple devices
 

I've done some word-smithing on ISSUE-130 in the spirit of our
discussion, and after looking at some of the MWBP material. Here it
is:

  http://www.w3.org/2006/WSC/drafts/rec/#tls-across-devices

  Web content SHOULD be designed offer the same security user
  experience across different user agents and devices. Web site
  owners SHOULD perform tests of the TLS security and trust features
  of their site on various devices.

  Web site owners operating TLS-protected sites should anticipate
  the use of those sites from mobile devices which may have
  constrained capabilities, or diverging sets of trust anchors.
  These limitations can usually be addressed in ways that preserve
  security without hurting the user experience on either device. In
  particular, Web sites can often avoid designing to revert to an
  insecure state instead, blocking mobile access, or leaving trust
  decisions to the user.

Thoughts?
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 6 November 2007 19:01:15 UTC