- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Mon, 15 Mar 2010 13:15:42 -0400
- To: public-wsc-wg@w3.org
- Message-ID: <OF902DB94C.A953A369-ON852576E7.005EA1BD-852576E7.005EAAB8@LocalDomain>
fyi; first feedback to LC ----- Forwarded by Mary Ellen Zurko/Westford/IBM on 03/15/2010 01:13 PM ----- From: Krzysztof Maczyński <1981km@gmail.com> To: <public-usable-authentication@w3.org> Date: 03/12/2010 09:41 AM Subject: Don't favour https Sent by: public-usable-authentication-request@w3.org Dear WG, Section 5.2 of Web Security Context: User Interface Guidelines seems to favour the https scheme over http used with TLS as specified by RFC 2817. On the other hand, the W3C Director, TAG, IANA and other parties have indicated many times that URI schemes should be employed only if they enable identifying with URIs a class of resources semantically distinct from what other schemes already cover. Security characteristics of access to a resource are orthogonal to the identity of the resource itself (proof: the same resource can be made available by both means). Therefore, https is redundant and SHOULD NOT be used, since its range coincides with that of http. Please redefine ?strongly TLS-protected? to include http with RFC 2817. Best regards, Krzysztof Maczyński Invited Expert, HTML WG
Received on Monday, 15 March 2010 17:14:38 UTC