ISSUE-142: Page Security Score does not yet have enough content behind it [wsc-xit] from Web Security Context Working Group Issue Tracker on 2007-12-14 (public-wsc-wg@w3.org from December 2007)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Fri, 14 Dec 2007 22:39:22 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20071214223922.822CBC6DB0@barney.w3.org>

ISSUE-142: Page Security Score does not yet have enough content behind it [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Mary Ellen Zurko
On product: wsc-xit

6.3

"The user agent MUST reduce the state of all security context information made available to a single value. "

I'm not convinced of the MUST. The thinking in this section has not taken into account the richness and diversity of identity information, vs. security quality/protection information. If there was a proposal for a way to delineate security quality/protection information, or remove identity identification data from this value, I might go with it. But I can't come up with that myself at this moment. So I propose instead that this be a SHOULD. This would also imply a SHOULD for the following: 
"The user agent MUST make the security context information value available to the end user, in either primary or secondary chrome"

We still need a lo fi prototype of this. We can't keep this in the recommendation without at least an example we've all looked at and had "expert" review of. It's too vague to make it all the way to recommendation otherwise (remember the whole coding step thing).

Received on Friday, 14 December 2007 22:39:29 UTC