Re: ACTION-376: Rewrite 5.5.3 to be more explicit about history tracking from Johnathan Nightingale on 2008-02-20 (public-wsc-wg@w3.org from February 2008)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Wed, 20 Feb 2008 10:13:32 -0500
To: Timothy Hahn <hahnt@us.ibm.com>
Cc: W3C WSC Public <public-wsc-wg@w3.org>
Message-Id: <558CF12F-DCFA-4ECE-AE96-4E5CD0A7C12E@mozilla.com>
Sounds good to me!

Cheers,

J

On 19-Feb-08, at 10:38 PM, Timothy Hahn wrote:

>
> Jonathan,
>
> Sounds good.  I think for the normative text we should be as  
> explicit as possible.
>
> Proposed text:
>
> The requirements in this section do not require user agents to store
> information about past interactions longer than they otherwise would.
> Historical TLS information stored for the purposes of evaluating
> changes of security level MAY be expunged from the user agent on the
> same schedule as other browsing history information.  Historical TLS
> information MUST NOT be expunged prior to other browsing history
> information.  For purposes of this requirement, browsing history  
> information
> includes visit logs, bookmarks, and information stored in a user  
> agent cache.
>
>
> The one thing I added above (within the blue text) is that I also  
> noted cache contents in addition to visit logs and bookmarks.
>
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
>
>
>
> From:	Johnathan Nightingale <johnath@mozilla.com>
> To:	Timothy Hahn/Durham/IBM@IBMUS
> Cc:	W3C WSC Public <public-wsc-wg@w3.org>
> Date:	02/19/2008 10:48 AM
> Subject:	Re: ACTION-376: Rewrite 5.5.3 to be more explicit about  
> history tracking
>
>
>
>
> Hey Tim,
>
> I agree with you here, and it was my thinking as well, that  
> bookmarks should persist that information.  I guess in a lawyerish  
> reading, you could argue it was already implied by the current text  
> but I see no reason not to make it explicit.  How about:
>
> The requirements in this section do not require user agents to store
> information about past interactions longer than they otherwise would.
> Historical TLS information stored for the purposes of evaluating
> changes of security level MAY be expunged from the user agent on the
> same schedule as other browsing history information (e.g. visit  
> logs, bookmarks).  Historical TLS
> information MUST NOT be expunged prior to other browsing history
> information.
>
> I don't know if a parenthetical (e.g.) is considered appropriate for  
> normative text, but really I think we just want to cue implementors  
> here.  If you would favour something more direct ("For the purposes  
> of this requirement, browsing history includes..." I think I'd be  
> fine with any alternate text you suggested along those lines as well.
>
> Cheers,
>
> Johnathan
>
> On 18-Feb-08, at 8:00 AM, Timothy Hahn wrote:
>
>
> Jonathan,
>
> I agree with the intent of the changes/addition (that user agents  
> not be required to hold historical TLS information indefinitely).
>
> Does the reference to "other browsing history information" cover  
> whatever is bookmarked?  My opinion is that for purposes of the  
> added paragraph below, it should.  Thus, historical TLS information  
> related to a bookmarked item SHOULD NOT be expunged from a user  
> agent before the bookmark itself is removed.
>
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
>
>
> From:	Johnathan Nightingale <johnath@mozilla.com>
> To:	W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
> Date:	02/15/2008 04:52 PM
> Subject:	ACTION-376: Rewrite 5.5.3 to be more explicit about history  
> tracking
>
>
>
>
>
>
> The current normative text in section 5.5.3 reads:
>
> > Web user agents that have found a resource strongly TLS protected
> > during past interactions MUST consider an interaction with the same
> > resource as a change of security level if that interaction is not
> > strongly TLS protected. Web user agents that have found a resource
> > strongly TLS protected with an Augmented Assurance Certificate
> > SHOULD consider an interaction with the same resource as a change of
> > security level if that interaction is not strongly TLS protected
> > with an Augmented Assurance Certificate.
>
> The concern I raised was that this seems to imply an obligation on
> user agents to store certificate history for an indeterminate period
> of time, and potentially independent of any privacy settings the agent
> might otherwise support.  For the purposes of addressing this concern,
> I think the text that is there is basically fine, but just needs to be
> elaborated on.  We want to say that we're not forcing the user agent
> to store this indefinitely, just that they keep it around *at least as
> long* as other history information.
>
> I propose adding a new paragraph:
>
> The requirements in this section do not require user agents to store
> information about past interactions longer than they otherwise would.
> Historical TLS information stored for the purposes of evaluating
> changes of security level MAY be expunged from the user agent on the
> same schedule as other browsing history information.  Historical TLS
> information MUST NOT be expunged prior to other browsing history
> information.
>
> I believe this completes ACTION-376.
>
> Cheers,
>
> Johnathan
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>
>
>
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Wednesday, 20 February 2008 15:14:09 UTC