Updated finding: "URIs, Addressability, and the use of HTTP GET and POST"

Hello,

Per my action at the TAG's 15 Sep teleconf [1], I am
pleased to make available the 16 Sep draft finding [2]
"URIs, Addressability, and the use of HTTP GET and POST".

This draft incorporates comments from Noah Mendelsohn [3]
pertaining to section 4 "Considerations for sensitive
data". The changes involve:

 - Broadening of scope from language such as "Use SSL" 
   to language such as "Use a secure protocol such as SSL".
 - Per NM's suggestion, added text about using POST when
   inappropriate to use secure protocol, and included his
   examples.
 - Per NM's suggestion, added example of operations
   that are unsafe because they cause the user to incur
   security-related obligations. 
 - Addition of a reference for SSL3

I welcome review of all of (the short) section 4, of course.
I am not entirely satisfied with the example that talks
about an audited resource. I think more needs to be said
about what "audited" means. Noah mentions GET as being
appropriate for anonymous transactions. However, are there
other interactions that involve tracking but not "auditing"?
I guess I am looking for a clearer statement from Noah
about what he means by "auditing".

Per the TAG's 15 Sep teleconf, the TAG's expectations are
that, unless there are strong objections to this new language,
the finding will be accepted in the near future.

Thank you all for your very helpful reviews!

 _ Ian

[1] http://www.w3.org/2003/09/15-tag-summary.html#whenToUseGet-7
[2] http://www.w3.org/2001/tag/doc/whenToUseGet-20030916
[3] http://lists.w3.org/Archives/Public/www-tag/2003Jul/0297
-- 
Ian Jacobs (ij@w3.org)   http://www.w3.org/People/Jacobs
Tel:                     +1 718 260-9447

Received on Tuesday, 16 September 2003 16:06:30 UTC