Re: ACTION-376: Rewrite 5.5.3 to be more explicit about history tracking

Hey Tim,

I agree with you here, and it was my thinking as well, that bookmarks  
should persist that information.  I guess in a lawyerish reading, you  
could argue it was already implied by the current text but I see no  
reason not to make it explicit.  How about:

> The requirements in this section do not require user agents to store
> information about past interactions longer than they otherwise would.
> Historical TLS information stored for the purposes of evaluating
> changes of security level MAY be expunged from the user agent on the
> same schedule as other browsing history information (e.g. visit  
> logs, bookmarks).  Historical TLS
> information MUST NOT be expunged prior to other browsing history
> information.


I don't know if a parenthetical (e.g.) is considered appropriate for  
normative text, but really I think we just want to cue implementors  
here.  If you would favour something more direct ("For the purposes of  
this requirement, browsing history includes..." I think I'd be fine  
with any alternate text you suggested along those lines as well.

Cheers,

Johnathan

On 18-Feb-08, at 8:00 AM, Timothy Hahn wrote:

>
> Jonathan,
>
> I agree with the intent of the changes/addition (that user agents  
> not be required to hold historical TLS information indefinitely).
>
> Does the reference to "other browsing history information" cover  
> whatever is bookmarked?  My opinion is that for purposes of the  
> added paragraph below, it should.  Thus, historical TLS information  
> related to a bookmarked item SHOULD NOT be expunged from a user  
> agent before the bookmark itself is removed.
>
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
>
>
>
> From:	Johnathan Nightingale <johnath@mozilla.com>
> To:	W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
> Date:	02/15/2008 04:52 PM
> Subject:	ACTION-376: Rewrite 5.5.3 to be more explicit about history  
> tracking
>
>
>
>
>
> The current normative text in section 5.5.3 reads:
>
> > Web user agents that have found a resource strongly TLS protected
> > during past interactions MUST consider an interaction with the same
> > resource as a change of security level if that interaction is not
> > strongly TLS protected. Web user agents that have found a resource
> > strongly TLS protected with an Augmented Assurance Certificate
> > SHOULD consider an interaction with the same resource as a change of
> > security level if that interaction is not strongly TLS protected
> > with an Augmented Assurance Certificate.
>
> The concern I raised was that this seems to imply an obligation on
> user agents to store certificate history for an indeterminate period
> of time, and potentially independent of any privacy settings the agent
> might otherwise support.  For the purposes of addressing this concern,
> I think the text that is there is basically fine, but just needs to be
> elaborated on.  We want to say that we're not forcing the user agent
> to store this indefinitely, just that they keep it around *at least as
> long* as other history information.
>
> I propose adding a new paragraph:
>
> The requirements in this section do not require user agents to store
> information about past interactions longer than they otherwise would.
> Historical TLS information stored for the purposes of evaluating
> changes of security level MAY be expunged from the user agent on the
> same schedule as other browsing history information.  Historical TLS
> information MUST NOT be expunged prior to other browsing history
> information.
>
> I believe this completes ACTION-376.
>
> Cheers,
>
> Johnathan
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com