Clarify UX of CoSL

Raised by:
Mary Ellen Zurko
Opened on:

"During interactions with a Web page for which any of the resources involved was retrieved through a weakly TLS-protected transaction, the identity signal must be indistinguishable from one that would be shown for an unprotected HTTP transaction, unless a change of security level has occured."

This seems to be the first place in the document that implies anything about what "change of security level" (CoSL) should/must be like from a user experience (UX). And the implication is, at the least, that it is _not_ the same as the UX for weakly TLS-protected web pages. We need to be more explicit about the UX for CoSL; at least about this level assumption. A straw-cat crack at it would be adding the following to 5.5:

A web user agent that displays any security context information in primary user interface MUST display a different form of security context information for change of security level and weakly TLS-protected transactions.
Related Actions Items:
No related actions
Related emails:
  1. ISSUE-139: Clarify UX of CoSL [wsc-xit] (from on 2007-12-14)

Related notes:

Added to xit as open issue under section 6.1.2

Anil Saldhana, 21 Jan 2008, 22:14:03

Display change log ATOM feed

Mary Ellen Zurko <>, Chair, Thomas Roessler <>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 139.html,v 1.1 2010/10/11 09:35:06 dom Exp $