- From: Noah Mendelsohn <nrm@arcanedomain.com>
- Date: Mon, 16 Feb 2015 18:06:10 -0500
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: "www-tag@w3.org List" <www-tag@w3.org>
On 2/16/2015 5:47 PM, Bjoern Hoehrmann wrote: > The specification defines the behavior of user agents, not the behavior > of a timbled kiosk in some heteronomous computing environment, and users > are naturally the ultimate authority for any trust decisions agents may > make. It would be ridiculous, for instance, to argue that a web crawler > designed to scan web sites for malware would violate the rules of the > protocol when scanning web sites that only support ciphers that are no > longer considered secure enough for financial transactions. I disagree. The specification is defining the use of a name for purposes of dereference. To conform to this specification, the agent must end-to-end encrypt, and the spirit seems clear that this means not modify the content. As I noted, you can create useful agents of all sorts, some of which will do useful things not conforming to this specification. I would argue that your proposed crawler is an example. The specification defines a preferred way of dereferencing an https-scheme URI and says that a conforming agent shall do this. The foundational specfication of the web, RFC 3986 delegates to the specification we're discussing. Thus, this appears to me to be the specified, conforming behavior for Web user agents. I'm suggesting that if common practice is diverging from the conformance requirements of the normative specifications, then it would be useful for the TAG to tell us a story about that. Maybe the specifications should change, maybe common practice should change, maybe there's another reasonable interpretation fo the phrase "MUST ensure that its connection to the origin server is secured through the use of strong encryption, end-to-end". Noah
Received on Monday, 16 February 2015 23:06:33 UTC