- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Tue, 4 May 2010 08:38:30 -0400
- To: public-wsc-wg@w3.org
- Message-ID: <OFF057DB89.7495F5D4-ON85257715.006BE544-85257719.004544FC@LocalDomain>
Folks, here's is my draft reply to Krzysztof. Thoughts? ___________________________________________________ The working group remains in favor of the following text for several reasons: [Definition: An HTTP transaction is strongly TLS-protected if it is TLS-protected, an https URL was used, strong TLS algorithms were negotiated for both confidentiality and integrity protection, and at least one of the following conditions is true:] The first is that the specification deals with presentation and communication of web security context information to end users. Users are accustomed to the https: url, have been trained to look for it in many contexts, and would find it confusing to not find it in the presence of other security context indicators. The second is that the scope of the specification is currently deployed best practice, and the implementation reports supporting the specification are based on the functionality in the web user agents reporting. The test cases they have used all include this definition. The definition of TLS-protected is the only place in the specification where we explicitly talk about TLS upgrade for HTTP transactions. Since we cannot actually claim implementation of this mechanism, we propose to remove it from the definition. This should make it clear that TLS upgrade is out of scope to this specification, and also makes the specification more internally consistent. [Definition: An HTTP transaction is TLS-protected if the resource was identified through a URI with the https URI scheme, the TLS handshake was performed successfully, and the HTTP transaction has occurred through the TLS channel.]
Received on Tuesday, 4 May 2010 12:37:14 UTC