- From: イアンフェッティ <ifette@google.com>
- Date: Fri, 9 Apr 2010 09:45:21 -0700
- To: Web Security Context Working Group WG <public-wsc-wg@w3.org>
- Message-ID: <g2xbbeaa26f1004090945mea1734a2z4fc7fa5e53fc5a67@mail.gmail.com>
I am very unhappy about this. I personally think it would be confusing to users to see e.g. EV indication with an http URL. Users have no way of knowing what the heck is going on here with upgrade, and furthermore are likely to think they are secure when they just cut and paste in that URL (since the upgrade will start on server response, as opposed to the client expecting TLS/SSL from the start.) If a site wants to use upgrade for whatever reason, fine, but if they want the full SSL UI IMO they should instead do a HTTP/1.1 301 Moved Permanently Location: https://www.example.org/ I am not in favor of this change to WSC-UI, and think we should reject the proposal in [2] and instead leave the spec as it was. -Ian Am 9. April 2010 08:22 schrieb Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org <sysbot%2Btracker@w3.org>>: > > ISSUE-245: Do not require HTTPS URI for strong TLS protection > > http://www.w3.org/2006/WSC/track/issues/245 > > Raised by: Thomas Roessler > On product: > > In LC-2382 [1], it was noted that the definition of "strongly protected TLS > connections" required use of an HTTPS URI. For detailed discussion, see [2]. > > The WG decided during its call on 2010-03-31 [3] to accept the proposal in > [2]. > > 1. > http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382 > 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2010Apr/0009.html > 3. http://www.w3.org/2010/03/31-wsc-minutes.html > > > >
Received on Friday, 9 April 2010 16:46:26 UTC