wsc-xit review

Hi all,

My comments about the Nov 28th version of the rec track document are in this email. I've restricted myself to comments about clarity of the proposed recommendations and am leaving issues of effectiveness to the testing phase of this WG.

http://www.w3.org/2006/WSC/drafts/rec/#def-Page

"A Web Page is a resource that is referenced by a URI and is not embedded in another resource"

The existence of HTML frames complicates this definition

http://www.w3.org/2006/WSC/drafts/rec/#http

I don't understand what the definition of "HTTP Transaction" means. Does it refer to a single HTTP Request/Response pair, or multiple pairs? If multiple, what are the delimiters for which ones are included and which not? Consequently, the definitions of TLS-desired and TLS-protected are similarly confusing.

http://www.w3.org/2006/WSC/drafts/rec/#tlstosecurehttp

"assertion that use of TLS is desired."

Is it just desired, or is it required?

http://www.w3.org/2006/WSC/drafts/rec/#sec-change-level

My understanding of this section is that a "change of security level" happens whenever a user follows a hyperlink from one TLS protected web site to another. Is that the intent?

Assigning a "level" to security doesn't seem particularly useful to me. There are too many dimensions that are relevant, or not relevant, in different scenarios.

http://www.w3.org/2006/WSC/drafts/rec/#change-tls-state

What happens to these requirements when the user instructs the Web user agent to flush its browsing history?

http://www.w3.org/2006/WSC/drafts/rec/#signal-content

There are requirements for what must be displayed, or not displayed, in the "identity signal" but no requirements are given on how the user determines the delimiters of the "identity signal". Where's the inside versus the outside?

http://www.w3.org/2006/WSC/drafts/rec/#errors-basic

Under what scenarios does no "change of security level" happen, but the TLS session changes?

(I skipped over the section on the Safe Web Form editor. I know I've got stuff I'm working on for it.)

http://www.w3.org/2006/WSC/drafts/rec/#techniques-dontmix

We need a definition for "visual context".

For: "intended to enable users' trust decisions". Does that mean there are parts of the browser's GUI that are purposely trying to mislead the user and that's OK?

http://www.w3.org/2006/WSC/drafts/rec/#robustness-trustedpath

There needs to be some discussion of delimiters in here.

http://www.w3.org/2006/WSC/drafts/rec/#requirements-robustness

"Web user agents MUST prevent web content from obscuring, hiding, or disabling security UI."

How should this be interpreted in a desktop with overlapping windows, where one window is on top of another, and so hiding part of it?

"Web user agents MUST NOT expose programming interfaces which permit installation of software, or execution of privileged code without user intervention."

Does this create requirements on the functionality of the "Save Target As" right-click menu option? What user actions can be interpreted as "user intervention"?

--Tyler

--
[1] "Web Security Context: Experience, Indicators, and Trust"
    <http://www.w3.org/2006/WSC/drafts/rec/>

Received on Thursday, 3 January 2008 21:59:55 UTC