This document:Public document·View comments·Disposition of Comments·
Nearby:Web Security Context Working Group Other specs in this tool Web Security Context Working Group's Issue tracker
Quick access to LC-2056 LC-2057 LC-2058 LC-2059 LC-2087 LC-2088 LC-2092 LC-2093 LC-2094 LC-2095 LC-2129
Previous: LC-2094 Next: LC-2088
Hi, I stumbled upon several obscure terms and sentences while reading the spec (see list below). The terms are not defined. As far as I can tell, they are all basic terms when one is used to dealing with security on the Web. Even though it contains "Security", the title looks friendly, and doesn't seem to infer that a technical background on security is required. Since there is no audience section, I expect I'm reasonably well-versed into Web matters to understand the spec. That is not the case: I understand the clauses, which is good, but I sometimes fail to understand the rationale behind them. Depending on the audience you are targeting, you may not want to define these terms in the spec. That is the gist of this comment: the audience is not defined. If your primary target is security experts, no need to read the following list. If your primary target is user interface developers, you should clarify them. In any case, you should probably mention it and precise the expected knowledge before reading the spec so that readers know what to expect beforehand. Here is the list of security-related topics that are not so common for other communities (well, "for me" at least, that is ;)): - Section 5: The "TLS" acronym is actually never defined (only mentioned in the references part). - Section 5.1.5: "use of TLS provides confidentiality protection services against passive attackers". What is a "passive attacker"? - Section 5.1.5: "this can be strong evidence that protection against an active attacker has been achieved as well". What is an "active attacker"? - Section 5.1.5: "evidence that a man in the middle attack occurs". For once, I know what a "man in the middle attack" refers to, but I'm not sure everyone does. - Section 5.2: "for both confidentiality and integrity protection". I get the difference but that may be worth a little explanation as well. - Section 7.1.1: same thing with "phishing" and "spoofing" although probably known by more people. - Section 8.2: "OCSP" stands for? As a side note, I am totally fine with the relative complexity created by the multiple definitions the spec already contains. Precision is good! Thanks, Francois Daoust, W3C Staff Contact, Mobile Web Best Practices Working Group.