Re: CfC: Mixed Content to PR; deadline July 6th. from Brian Smith on 2015-06-22 (public-webappsec@w3.org from June 2015)

From: Brian Smith <brian@briansmith.org>
Date: Mon, 22 Jun 2015 13:00:40 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAFewVt55TEDiPdQ9k9wNKO02f0ez8rQZSschH=kZ9GrOEjx56Q@mail.gmail.com>

On Mon, Jun 22, 2015 at 7:17 AM, Mike West <mkwst@google.com> wrote:

>
> https://w3c.github.io/webappsec/specs/mixedcontent/published/2015-07-PR.html
>
> This document is substantively the same as the CR, with the following
> normative changes:
>
> 1. I've dropped the "at risk" note for "deprecated TLS-protection":
> https://github.com/w3c/webappsec/commit/5dd23ba69ecd39a45eceff86533dfb91f0ab645c
> (CCing Brian, who I believe was interested in the opposite, and Ryan, who
> might or might not have implemented the SHA-1 bits for Chrome).
>

I don't have any problem with the idea of specifying/recommending
particular behavior for "deprecated TLS-protection." I think whether or not
it should remain in the spec, at this point, depends on whether at least
two independent implementations of it currently exist.

Cheers,
Brian

Received on Monday, 22 June 2015 20:01:10 UTC