ACTION-518: Text clarification for 5.4.1 (Re: Meeting record: WSC WG weekly 2008-09-24) from Thomas Roessler on 2008-10-06 (public-wsc-wg@w3.org from October 2008)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 6 Oct 2008 14:06:01 +0200
To: Thomas Roessler <tlr@w3.org>
Cc: WSC WG <public-wsc-wg@w3.org>
Message-Id: <C0749A86-E277-4F42-814B-BCE3E1E2F54A@w3.org>

On 6 Oct 2008, at 13:54, Thomas Roessler wrote:

>   Mez: Section 5.4.1
>
>   <Mez> [13]http://www.w3.org/TR/wsc-ui/#sec-tlserrors
>
>   Mez: I think "these interactions" refers to interactions resulting  
> from
>   a TLS error
>   ... I think part of the confusion comes from ambiguity about which
>   certificates the comment is about
>
>   TLR: Yes, I think we need to clarify the text here.
>   ... thinking...
>
>   <Mez> When certificate information is presented in these  
> interactions,
>   human-readable information derived from the certificates in question
>   (and any other certificates not trusted) MUST NOT be presented as
>   trustworthy. Examples of such certificate information within those
>   certificates not to be presented as trustworthy include Common  
> Name or
>   Organization attributes.
>
>   <tlr> ACTION: thomas to refine text above this action in the minutes
>   [recorded in
>   [14]http://www.w3.org/2008/09/24-wsc-minutes.html#action03]
>
>   <trackbot> Created ACTION-518 - Refine text above this action in the
>   minutes [on Thomas Roessler - due 2008-10-01].

To discharge that action, I'd propose the following text instead:

> When certificate information is presented in the interactions  
> described in this section, then human-readable information from  
> certificates MUST NOT be presented as trustworthy unless it is  
> attested to. E.g., a self-signed certificate's Common Name or  
> Organization attribute must not be displayed, even if that  
> certificate is pinned to a destination.  Web user agents MAY display  
> this information in a dialog and other secondary chrome reachable  
> from the warning or error messages specified here.

This would replace the following two paragraphs in the current Working  
Draft:

> When certificate information is presented in these interactions,  
> human-readable information derived from the certificates (e.g.,  
> Common Name or Organization attributes) in question MUST NOT be  
> presented as trustworthy.


> When certificate information is presented in these interactions, web  
> user agents MUST NOT display identity information derived from a  
> self signed or untrusted certificate in a warning or error message.  
> Web user agents MAY display this information in a dialog or other  
> secondary chrome reachable through the warning or error message or  
> dialog.


Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 6 October 2008 12:06:38 UTC