Re: ISSUE-245: Do not require HTTPS URI for strong TLS protection

Ian Fette (イアンフェッティ) wrote:
> I am very unhappy about this. I personally think it would be confusing to
> users to see e.g. EV indication with an http URL. Users have no way of
> knowing what the heck is going on here with upgrade, and furthermore are
> likely to think they are secure when they just cut and paste in that URL
> (since the upgrade will start on server response, as opposed to the client
> expecting TLS/SSL from the start.)
>
> If a site wants to use upgrade for whatever reason, fine, but if they want
> the full SSL UI IMO they should instead do a
>
> HTTP/1.1 301 Moved Permanently
> Location: https://www.example.org/
>
> I am not in favor of this change to WSC-UI, and think we should reject the
> proposal in [2] and instead leave the spec as it was.

I can live with either following [2] or returning to the CR version on this 
particular language.

I will note that, during the call, we didn't consider the UI implications of 
not having an https URI, so I'm in favor of discussing that aspect, even 
though it (strictly speaking) implies reopening the issue.



> Am 9. April 2010 08:22 schrieb Web Security Context Working Group Issue
> Tracker<sysbot+tracker@w3.org<sysbot%2Btracker@w3.org>>:
>
>> ISSUE-245: Do not require HTTPS URI for strong TLS protection
>>
>> http://www.w3.org/2006/WSC/track/issues/245
>>
>> Raised by: Thomas Roessler
>> On product:
>>
>> In LC-2382 [1], it was noted that the definition of "strongly protected TLS
>> connections" required use of an HTTPS URI. For detailed discussion, see [2].
>>
>> The WG decided during its call on 2010-03-31 [3] to accept the proposal in
>> [2].
>>
>> 1.
>> http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382
>> 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2010Apr/0009.html
>> 3. http://www.w3.org/2010/03/31-wsc-minutes.html
>>
>>
>>
>>
>

Received on Friday, 9 April 2010 16:56:14 UTC