Re: Don't favour https ( LC-2382)

Folks, here's is my draft reply to Krzysztof. Thoughts? 
___________________________________________________

The working group remains in favor of the following text for several 
reasons: 

[Definition: An HTTP transaction is strongly TLS-protected if it is 
TLS-protected, an https URL was used, strong TLS algorithms were 
negotiated for both confidentiality and integrity protection, and at least 
one of the following conditions is true:] 

The first is that the specification deals with presentation and 
communication of web security context information to end users. Users are 
accustomed to the https: url, have been trained to look for it in many 
contexts, and would find it confusing to not find it in the presence of 
other security context indicators.

The second is that the scope of the specification is currently deployed 
best practice, and the implementation reports supporting the specification 
are based on the functionality in the web user agents reporting. The test 
cases they have used all include this definition. 

The definition of TLS-protected is the only place in the specification 
where we explicitly talk about TLS upgrade for HTTP transactions.  Since 
we cannot actually claim implementation of this mechanism, we propose to 
remove it from the definition.  This should make it clear that TLS upgrade 
is out of scope to this specification, and also makes the specification 
more internally consistent. 

[Definition: An HTTP transaction is TLS-protected if the resource was 
identified through a URI with the https URI scheme, the TLS handshake was 
performed successfully, and the HTTP transaction has occurred through the 
TLS channel.] 

Received on Tuesday, 4 May 2010 12:37:14 UTC