WhatIsASecurePage not fully incorporated

Raised by:
Yngve Pettersen
Opened on:
This issue tracks the points raised in this message:

AFAICT, the following recommendations are not yet in wsc-xit, or possibly not sufficiently covered.

#6/#16: all-EV site (or in new nomenclature: all-AA sites).

#12: Delayed security level change (mostly to upgrade security level, despite unsecure loading). May
be covered by current security level change language.

More radical proposals not included

#8: Forbid mixing of non-TLS-protected content in TLS-protected webpages

#10: Forbid unsecure->secure password submit by clients

#11: secure->Unsecure POST submits

#13: Treat https-part of URL as a security indicator (also, relevant in relation to "Chinese
whispers"-robustness, ACTION-347)
Related Actions Items:
No related actions
Related emails:
  1. ISSUE-145 WhatIsASecurePage not fully incorporated (from on 2008-04-25)
  2. Re: ACTION-349: verify that normative material from WhatIsASecurePage was fully incorporated in wsc-xit (from on 2007-12-17)
  3. ISSUE-145: WhatIsASecurePage not fully incorporated [wsc-xit] (from on 2007-12-17)

Related notes:

No additional notes.

Display change log ATOM feed

Mary Ellen Zurko <>, Chair, Thomas Roessler <>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 145.html,v 1.1 2010/10/11 09:35:06 dom Exp $