- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Wed, 11 Jun 2008 17:57:31 -0400
- To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
On 11-Jun-08, at 4:59 PM, Yngve N. Pettersen (Developer Opera Software ASA) wrote: > On Wed, 11 Jun 2008 21:01:10 +0200, Thomas Roessler <tlr@w3.org> > wrote: >> Looks good to me. I've dropped these into the current draft, with >> some changes from "TLS-protected resource" to "TLS-secured page". > Looks OK to me, although I would have preferred 5.4.4 to use "MUST". > A particular reason for my view is that MSIE7 (at least) is no > longer warning about this, and that I have seen hotel wireless > network logons using this method. True, SHOULD is almost MUST, but... My thought process here was that SHOULD suggests that user agents really ought to consider this, but also implicitly acknowledges our security considerations about warning fatigue and the like. I agree that this is problematic behaviour, and we should definitely recommend against it (maybe even with MUST language) in the guidance to site authors document, but I think for user agents we have to be very careful about every MUST-level error/warning, given that we also counsel implementors against having too many of them. Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Wednesday, 11 June 2008 21:58:14 UTC