Re: ISSUE-245: Do not require HTTPS URI for strong TLS protection

Going once, going twice....

(anyone with any issues with the CR text and reasoning in this thread?)

From: Joe Steele <steele@adobe.com> 
Date: Fri, 9 Apr 2010 10:33:13 -0700
To: Thomas Roessler <tlr@w3.org> 
CC: "ifette@google.com" <ifette@google.com>, Web Security Context Working 
Group WG <public-wsc-wg@w3.org> 
Message-ID: <6BBBE705-5FD5-4B51-9ACF-8FCFB1B6EF60@adobe.com> 

I am fine with the CR version of this text. 

On Apr 9, 2010, at 9:56 AM, Thomas Roessler wrote:

> Ian Fette (イアンフェッティ) wrote:
>> I am very unhappy about this. I personally think it would be confusing 
to
>> users to see e.g. EV indication with an http URL. Users have no way of
>> knowing what the heck is going on here with upgrade, and furthermore 
are
>> likely to think they are secure when they just cut and paste in that 
URL
>> (since the upgrade will start on server response, as opposed to the 
client
>> expecting TLS/SSL from the start.)
>> 
>> If a site wants to use upgrade for whatever reason, fine, but if they 
want
>> the full SSL UI IMO they should instead do a
>> 
>> HTTP/1.1 301 Moved Permanently
>> Location: https://www.example.org/

>> 
>> I am not in favor of this change to WSC-UI, and think we should reject 
the
>> proposal in [2] and instead leave the spec as it was.
> 
> I can live with either following [2] or returning to the CR version on 
this 
> particular language.
> 
> I will note that, during the call, we didn't consider the UI 
implications of 
> not having an https URI, so I'm in favor of discussing that aspect, even 

> though it (strictly speaking) implies reopening the issue.
> 
> 
> 
>> Am 9. April 2010 08:22 schrieb Web Security Context Working Group Issue
>> Tracker<sysbot+tracker@w3.org<sysbot%2Btracker@w3.org>>:
>> 
>>> ISSUE-245: Do not require HTTPS URI for strong TLS protection
>>> 
>>> http://www.w3.org/2006/WSC/track/issues/245

>>> 
>>> Raised by: Thomas Roessler
>>> On product:
>>> 
>>> In LC-2382 [1], it was noted that the definition of "strongly 
protected TLS
>>> connections" required use of an HTTPS URI. For detailed discussion, 
see [2].
>>> 
>>> The WG decided during its call on 2010-03-31 [3] to accept the 
proposal in
>>> [2].
>>> 
>>> 1.
>>> 
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382

>>> 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2010Apr/0009.html

>>> 3. http://www.w3.org/2010/03/31-wsc-minutes.html

>>> 
>>> 
>>> 
>>> 
>> 
> 
> 

Received on Monday, 12 April 2010 18:01:34 UTC