- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 07 Apr 2010 11:43:53 +0200
- To: WSC WG public <public-wsc-wg@w3.org>
Reviewing LC-2382: http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382 http://lists.w3.org/Archives/Public/public-usable-authentication/2010Mar/0002.html The text in section 5.2 favors HTTPS over HTTP with RFC 2817 in a single place: In the definition of "strong TLS protection", we require that the resource be identified with an HTTPS URI. http://www.w3.org/TR/wsc-ui/#def-strong-tls We do not ever take that point up in later parts of the spec. If my memory serves me well, this particular clause came out of an earlier definition that dealt with whether or not an expectation for use of TLS had been set; however, we have long dismissed that. Conversely, our definition of weak TLS protection does *not* encompass the case in which an RFC 2817 style upgrade was performed, but all conditions were met. Therefore, it may be reasonable to grant the commenter's request and strike the requirement that an HTTPS URI was used from the definition of strong TLS protection in 5.2. However, I'm reluctant for us to make that change with only casual review, so I'd like at least Yngve to have a close look at this. As a side remark, section 8.6 and 8.7 talk about HTTPS, too. The considerations in 8.6 do hold for the RFC 2817 case (in fact, more strongly so than for the HTTPS case), so I'm inclined to just leave it as is. In section 8.7, we talk about "HTTPS transactions", which could without harm be changed into "TLS-protected HTTP transactions"; that would actually make this particular section more in line with the overall text of the document. Thoughts? -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 7 April 2010 09:43:57 UTC