W3C home > Mailing lists > Public > public-wsc-wg@w3.org > February 2008

ACTION-385: Changes to section 9.3

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 27 Feb 2008 14:32:10 +0100
To: mzurko@us.ibm.com
Cc: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20080227133210.GA91369@iCoaster.does-not-exist.org>

As agreed at the face-to-face, I've put the following text into
section 9.3:

  If a web application solicits a secret, such as a password, over
  TLS, then it MUST always transmit that secret using that level of
  protection or better.Any derived secret that convey a similar
  level of authority as the original secret it MUST also be
  protected at the same level as the original secret. Other derived
  secrets SHOULD also be given the same protection. Sensitive
  transactions also MUST be protected using the same level of
  In a web-application, a secret may be used to authorize a
  transaction. The details of that transaction SHOULD also be
  transmitted using the same level of protection afforded the secret

  -- http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-consistency

Also, according to the minutes [1], Mez declared ISSUE-162 moot with
this edit, so I've taken the liberty to mark it as closed in

1. http://www.w3.org/2008/02/05-wsc-minutes.html#e
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 27 February 2008 13:32:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:36:53 UTC