- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 27 Feb 2008 14:32:10 +0100
- To: mzurko@us.ibm.com
- Cc: WSC WG <public-wsc-wg@w3.org>
As agreed at the face-to-face, I've put the following text into section 9.3: If a web application solicits a secret, such as a password, over TLS, then it MUST always transmit that secret using that level of protection or better.Any derived secret that convey a similar level of authority as the original secret it MUST also be protected at the same level as the original secret. Other derived secrets SHOULD also be given the same protection. Sensitive transactions also MUST be protected using the same level of protection. In a web-application, a secret may be used to authorize a transaction. The details of that transaction SHOULD also be transmitted using the same level of protection afforded the secret itself. -- http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-consistency Also, according to the minutes [1], Mez declared ISSUE-162 moot with this edit, so I've taken the liberty to mark it as closed in tracker. 1. http://www.w3.org/2008/02/05-wsc-minutes.html#e -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 27 February 2008 13:32:23 UTC