- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Wed, 20 Feb 2008 10:13:32 -0500
- To: Timothy Hahn <hahnt@us.ibm.com>
- Cc: W3C WSC Public <public-wsc-wg@w3.org>
- Message-Id: <558CF12F-DCFA-4ECE-AE96-4E5CD0A7C12E@mozilla.com>
Sounds good to me! Cheers, J On 19-Feb-08, at 10:38 PM, Timothy Hahn wrote: > > Jonathan, > > Sounds good. I think for the normative text we should be as > explicit as possible. > > Proposed text: > > The requirements in this section do not require user agents to store > information about past interactions longer than they otherwise would. > Historical TLS information stored for the purposes of evaluating > changes of security level MAY be expunged from the user agent on the > same schedule as other browsing history information. Historical TLS > information MUST NOT be expunged prior to other browsing history > information. For purposes of this requirement, browsing history > information > includes visit logs, bookmarks, and information stored in a user > agent cache. > > > The one thing I added above (within the blue text) is that I also > noted cache contents in addition to visit logs and bookmarks. > > Regards, > Tim Hahn > IBM Distinguished Engineer > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > > From: Johnathan Nightingale <johnath@mozilla.com> > To: Timothy Hahn/Durham/IBM@IBMUS > Cc: W3C WSC Public <public-wsc-wg@w3.org> > Date: 02/19/2008 10:48 AM > Subject: Re: ACTION-376: Rewrite 5.5.3 to be more explicit about > history tracking > > > > > Hey Tim, > > I agree with you here, and it was my thinking as well, that > bookmarks should persist that information. I guess in a lawyerish > reading, you could argue it was already implied by the current text > but I see no reason not to make it explicit. How about: > > The requirements in this section do not require user agents to store > information about past interactions longer than they otherwise would. > Historical TLS information stored for the purposes of evaluating > changes of security level MAY be expunged from the user agent on the > same schedule as other browsing history information (e.g. visit > logs, bookmarks). Historical TLS > information MUST NOT be expunged prior to other browsing history > information. > > I don't know if a parenthetical (e.g.) is considered appropriate for > normative text, but really I think we just want to cue implementors > here. If you would favour something more direct ("For the purposes > of this requirement, browsing history includes..." I think I'd be > fine with any alternate text you suggested along those lines as well. > > Cheers, > > Johnathan > > On 18-Feb-08, at 8:00 AM, Timothy Hahn wrote: > > > Jonathan, > > I agree with the intent of the changes/addition (that user agents > not be required to hold historical TLS information indefinitely). > > Does the reference to "other browsing history information" cover > whatever is bookmarked? My opinion is that for purposes of the > added paragraph below, it should. Thus, historical TLS information > related to a bookmarked item SHOULD NOT be expunged from a user > agent before the bookmark itself is removed. > > Regards, > Tim Hahn > IBM Distinguished Engineer > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > From: Johnathan Nightingale <johnath@mozilla.com> > To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org> > Date: 02/15/2008 04:52 PM > Subject: ACTION-376: Rewrite 5.5.3 to be more explicit about history > tracking > > > > > > > The current normative text in section 5.5.3 reads: > > > Web user agents that have found a resource strongly TLS protected > > during past interactions MUST consider an interaction with the same > > resource as a change of security level if that interaction is not > > strongly TLS protected. Web user agents that have found a resource > > strongly TLS protected with an Augmented Assurance Certificate > > SHOULD consider an interaction with the same resource as a change of > > security level if that interaction is not strongly TLS protected > > with an Augmented Assurance Certificate. > > The concern I raised was that this seems to imply an obligation on > user agents to store certificate history for an indeterminate period > of time, and potentially independent of any privacy settings the agent > might otherwise support. For the purposes of addressing this concern, > I think the text that is there is basically fine, but just needs to be > elaborated on. We want to say that we're not forcing the user agent > to store this indefinitely, just that they keep it around *at least as > long* as other history information. > > I propose adding a new paragraph: > > The requirements in this section do not require user agents to store > information about past interactions longer than they otherwise would. > Historical TLS information stored for the purposes of evaluating > changes of security level MAY be expunged from the user agent on the > same schedule as other browsing history information. Historical TLS > information MUST NOT be expunged prior to other browsing history > information. > > I believe this completes ACTION-376. > > Cheers, > > Johnathan > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > > > > > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > > --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Wednesday, 20 February 2008 15:14:09 UTC