ISSUE-200: Should an AA security indication include all elements in the evaluation, or just the top document [wsc-xit] from Web Security Context Working Group Issue Tracker on 2008-05-13 (public-wsc-wg@w3.org from May 2008)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 13 May 2008 11:59:30 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20080513115930.1F810C6DB5@barney.w3.org>

ISSUE-200: Should an AA security indication include all elements in the evaluation, or just the top document [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Yngve Pettersen
On product: wsc-xit

Related to Mixed content http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#securepage

A question related to Augmented Assurance certificates, such as EV, is whether or not an indicator based on such a certificate should be displayed if one or more of the resources (except the main document) used to build the document are not loaded from servers presenting such an AA certificate?

There are several subquestions in this area, for example:

  - What does the user expect when he sees the indicator
  - How does sensitive parts of the document not having an AA certificate affect the transaction and the epxectations
  - What are the legal effects of displaying an AA indicator on a page that contain non-AA content?

See also: http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev

Received on Tuesday, 13 May 2008 12:00:07 UTC