Re: ACTION-518: Text clarification for 5.4.1 (Re: Meeting record: WSC WG weekly 2008-09-24) from Mary Ellen Zurko on 2008-11-07 (public-wsc-wg@w3.org from November 2008)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 7 Nov 2008 16:25:44 -0500
To: "Thomas Roessler <tlr" <tlr@w3.org>
Cc: WSC WG <public-wsc-wg@w3.org>
Message-ID: <OFB00059FB.367C3E95-ON852574FA.0070A755-852574FA.0070BA75@LocalDomain>

Looks good. I declare consensus and will create an editorial action. 

          Mez





From:
Thomas Roessler <tlr@w3.org>
To:
Thomas Roessler <tlr@w3.org>
Cc:
WSC WG <public-wsc-wg@w3.org>
Date:
10/06/2008 08:51 AM
Subject:
ACTION-518: Text clarification for 5.4.1 (Re: Meeting record: WSC WG 
weekly 2008-09-24)
Sent by:
public-wsc-wg-request@w3.org




On 6 Oct 2008, at 13:54, Thomas Roessler wrote:

>   Mez: Section 5.4.1
>
>   <Mez> [13]http://www.w3.org/TR/wsc-ui/#sec-tlserrors
>
>   Mez: I think "these interactions" refers to interactions resulting 
> from
>   a TLS error
>   ... I think part of the confusion comes from ambiguity about which
>   certificates the comment is about
>
>   TLR: Yes, I think we need to clarify the text here.
>   ... thinking...
>
>   <Mez> When certificate information is presented in these 
> interactions,
>   human-readable information derived from the certificates in question
>   (and any other certificates not trusted) MUST NOT be presented as
>   trustworthy. Examples of such certificate information within those
>   certificates not to be presented as trustworthy include Common 
> Name or
>   Organization attributes.
>
>   <tlr> ACTION: thomas to refine text above this action in the minutes
>   [recorded in
>   [14]http://www.w3.org/2008/09/24-wsc-minutes.html#action03]
>
>   <trackbot> Created ACTION-518 - Refine text above this action in the
>   minutes [on Thomas Roessler - due 2008-10-01].

To discharge that action, I'd propose the following text instead:

> When certificate information is presented in the interactions 
> described in this section, then human-readable information from 
> certificates MUST NOT be presented as trustworthy unless it is 
> attested to. E.g., a self-signed certificate's Common Name or 
> Organization attribute must not be displayed, even if that 
> certificate is pinned to a destination.  Web user agents MAY display 
> this information in a dialog and other secondary chrome reachable 
> from the warning or error messages specified here.

This would replace the following two paragraphs in the current Working 
Draft:

> When certificate information is presented in these interactions, 
> human-readable information derived from the certificates (e.g., 
> Common Name or Organization attributes) in question MUST NOT be 
> presented as trustworthy.


> When certificate information is presented in these interactions, web 
> user agents MUST NOT display identity information derived from a 
> self signed or untrusted certificate in a warning or error message. 
> Web user agents MAY display this information in a dialog or other 
> secondary chrome reachable through the warning or error message or 
> dialog.


Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 11 November 2008 14:19:25 UTC