W3C home > Mailing lists > Public > public-wsc-wg@w3.org > February 2008

ACTION-386: Use TLS for Login Pages

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 27 Feb 2008 14:47:30 +0100
To: tyler.close@hp.com
Cc: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20080227134730.GA91668@iCoaster.does-not-exist.org>

Section 9.2 - Use TLS for Login Pages - now reads as follows:

  Web pages MUST use TLS, or similar protection, to protect both the
  solicitation and transmission of secrets, such as passwords,
  against disclosure to unauthorized parties.

  -- http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-login-pages
  Web Security Context: Experience, Indicators, and Trust
  Editor's Draft 27 February 2008
  $Revision: 1.166 $ $Date: 2008/02/27 13:45:00 $

In the 5 February minutes, I also find the following remark from
Tyler on IRC:

  An author MUST NOT create a web page served using TLS that
  includes other representations not served using at least that
  level of protection.

From the minutes, I can't quite tell whether that's supposed to be
an additional suggestion, or whether there was any agreement that
something along these lines should be included.

Tyler, any recollection?

Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 27 February 2008 13:47:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:36:53 UTC