- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 9 May 2008 15:07:15 +0200
- To: Johnathan Nightingale <johnath@mozilla.com>
- Cc: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
On 2008-05-09 09:00:51 -0400, Johnathan Nightingale wrote: > That text makes it clear to me that Firefox 3, storing no > historical TLS information, is "trivially compliant" with a > section governing the use of it, if stored. If the group is okay > with "trivial compliance" here, then I think my text will work, > and we can close the issue. However, if people think that > compliance with this spec *should* demand storage of historical > TLS information, then we should leave the text as-is (or even > make it more explicit), close the issue, but recognize that > Firefox 3 won't be a compliant implementation to point to. I understood the spirit of the current text to be "you don't need to store TLS information longer than other history information", which seemed like a somewhat reasonable compromise, in particular in the face of extensive browsing history storage in certain recent browsers. As far as the treatment of self-signed certificates is concerned, the "have been there before, saw domain validated certificate bit" is rather crucial to the overall picture *if* pinning occurs according to the spec, so I'm feeling quite uneasy about an approach which effectively says "it's fine not to store that bit". Sounds like we need to talk more about this in Oslo. Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 9 May 2008 13:07:48 UTC