- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Fri, 15 Feb 2008 16:12:43 -0500
- To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
The current normative text in section 5.5.3 reads: > Web user agents that have found a resource strongly TLS protected > during past interactions MUST consider an interaction with the same > resource as a change of security level if that interaction is not > strongly TLS protected. Web user agents that have found a resource > strongly TLS protected with an Augmented Assurance Certificate > SHOULD consider an interaction with the same resource as a change of > security level if that interaction is not strongly TLS protected > with an Augmented Assurance Certificate. The concern I raised was that this seems to imply an obligation on user agents to store certificate history for an indeterminate period of time, and potentially independent of any privacy settings the agent might otherwise support. For the purposes of addressing this concern, I think the text that is there is basically fine, but just needs to be elaborated on. We want to say that we're not forcing the user agent to store this indefinitely, just that they keep it around *at least as long* as other history information. I propose adding a new paragraph: The requirements in this section do not require user agents to store information about past interactions longer than they otherwise would. Historical TLS information stored for the purposes of evaluating changes of security level MAY be expunged from the user agent on the same schedule as other browsing history information. Historical TLS information MUST NOT be expunged prior to other browsing history information. I believe this completes ACTION-376. Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Friday, 15 February 2008 21:13:23 UTC