- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 19 Mar 2008 22:57:48 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The same set of ominous notes reminds me that there should be more information about the source of trust as part of the additional security context information. I've elaborated a bit on the "The reason why the identity information is trusted" bullet, though I'm not 100% sure that's the right hook for this. Improvement proposals (including on the list) welcome. Current text: The information sources MUST make the following security context information available: ... The reason why the identity information is trusted (or not). This includes whether or not a certificate was accepted interactively, whether a self-signed certificate was used, and whether the self-signed certificate was pinned to the site that the user interacts with, and whether trust relevant settings of the user agent were otherwise overridden through user action. http://www.w3.org/2006/WSC/Drafts/rec/rewrite.html#asc-must Web Security Context: Experience, Indicators, and Trust Editor's Draft 19 March 2008 $Revision: 1.205 $ $Date: 2008/03/19 21:56:05 $ Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 19 March 2008 21:58:20 UTC