Re: ACTION-386: Use TLS for Login Pages

I'm having a bit of trouble parsing Tyler's remark. Is it basically saying
"no mixed content"? If so, that sounds great, but why tie it to the login
pages? Why not make it its own thing, saying "If you're going to use TLS, do
it right and don't subject users to mixed content."

-My $0.02

On Wed, Feb 27, 2008 at 5:47 AM, Thomas Roessler <tlr@w3.org> wrote:

>
> Section 9.2 - Use TLS for Login Pages - now reads as follows:
>
>  Web pages MUST use TLS, or similar protection, to protect both the
>  solicitation and transmission of secrets, such as passwords,
>  against disclosure to unauthorized parties.
>
>  -- http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-login-pages
>  Web Security Context: Experience, Indicators, and Trust
>  Editor's Draft 27 February 2008
>  $Revision: 1.166 $ $Date: 2008/02/27 13:45:00 $
>
> In the 5 February minutes, I also find the following remark from
> Tyler on IRC:
>
>  An author MUST NOT create a web page served using TLS that
>  includes other representations not served using at least that
>  level of protection.
>
> From the minutes, I can't quite tell whether that's supposed to be
> an additional suggestion, or whether there was any agreement that
> something along these lines should be included.
>
> Tyler, any recollection?
>
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>

Received on Monday, 3 March 2008 18:51:01 UTC