Re: ISSUE-245: Do not require HTTPS URI for strong TLS protection from Thomas Roessler on 2010-04-16 (public-wsc-wg@w3.org from April 2010)

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 16 Apr 2010 16:12:31 +0200
To: "Mary Ellen Zurko" <mzurko@us.ibm.com>
Cc: Thomas Roessler <tlr@w3.org>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
Message-Id: <598BB7B3-392C-4786-B39A-DFBDCE27548C@w3.org>

Done.  I suggest we keep the change to the security considerations that I had made in connection with this.

Regads,
--
Thomas Roessler, W3C  <tlr@w3.org>







On 16 Apr 2010, at 16:09, Mary Ellen Zurko wrote:

> Sold.
> 
> Consensus declared.
> 
> Thomas, please revert us to the CR text on this. tx. 
> 
>           Mez
> 
> 
> 
> 
> 
> From:        Mary Ellen Zurko/Westford/IBM@Lotus
> To:        public-wsc-wg@w3.org
> Date:        04/12/2010 02:02 PM
> Subject:        Re: ISSUE-245: Do not require HTTPS URI for strong TLS protection
> Sent by:        public-wsc-wg-request@w3.org
> 
> 
> 
> Going once, going twice....
> 
> (anyone with any issues with the CR text and reasoning in this thread?)
> 
> From: Joe Steele <steele@adobe.com> 
> Date: Fri, 9 Apr 2010 10:33:13 -0700
> To: Thomas Roessler <tlr@w3.org> 
> CC: "ifette@google.com" <ifette@google.com>, Web Security Context Working Group WG <public-wsc-wg@w3.org> 
> Message-ID: <6BBBE705-5FD5-4B51-9ACF-8FCFB1B6EF60@adobe.com> 
> 
> I am fine with the CR version of this text. 
> 
> On Apr 9, 2010, at 9:56 AM, Thomas Roessler wrote:
> 
> > Ian Fette (イアンフェッティ) wrote:
> >> I am very unhappy about this. I personally think it would be confusing to
> >> users to see e.g. EV indication with an http URL. Users have no way of
> >> knowing what the heck is going on here with upgrade, and furthermore are
> >> likely to think they are secure when they just cut and paste in that URL
> >> (since the upgrade will start on server response, as opposed to the client
> >> expecting TLS/SSL from the start.)
> >> 
> >> If a site wants to use upgrade for whatever reason, fine, but if they want
> >> the full SSL UI IMO they should instead do a
> >> 
> >> HTTP/1.1 301 Moved Permanently
> >> Location: https://www.example.org/
> 
> >> 
> >> I am not in favor of this change to WSC-UI, and think we should reject the
> >> proposal in [2] and instead leave the spec as it was.
> > 
> > I can live with either following [2] or returning to the CR version on this 
> > particular language.
> > 
> > I will note that, during the call, we didn't consider the UI implications of 
> > not having an https URI, so I'm in favor of discussing that aspect, even 
> > though it (strictly speaking) implies reopening the issue.
> > 
> > 
> > 
> >> Am 9. April 2010 08:22 schrieb Web Security Context Working Group Issue
> >> Tracker<sysbot+tracker@w3.org<sysbot%2Btracker@w3.org>>:
> >> 
> >>> ISSUE-245: Do not require HTTPS URI for strong TLS protection
> >>> 
> >>> http://www.w3.org/2006/WSC/track/issues/245
> 
> >>> 
> >>> Raised by: Thomas Roessler
> >>> On product:
> >>> 
> >>> In LC-2382 [1], it was noted that the definition of "strongly protected TLS
> >>> connections" required use of an HTTPS URI. For detailed discussion, see [2].
> >>> 
> >>> The WG decided during its call on 2010-03-31 [3] to accept the proposal in
> >>> [2].
> >>> 
> >>> 1.
> >>> http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20100309/2382
> 
> >>> 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2010Apr/0009.html
> 
> >>> 3. http://www.w3.org/2010/03/31-wsc-minutes.html
> 
> >>> 
> >>> 
> >>> 
> >>> 
> >> 
> > 
> > 
> 
>

Received on Friday, 16 April 2010 14:12:36 UTC