The W3C Technical Architecture Group (TAG) issued a set of guidelines for W3C's standardisation efforts in a statement called Securing the Web. The statement is partly in response to the STRINT workshop by STREWS, which it explicitly mentions as a source in the acknowledgements.

The IAB issued a similar statement in November, called the IAB Statement on Internet Confidentiality, which the W3C TAG mentions as another source for its own statement.

The W3C TAG stresses that the Web needs to be trustworthy to succeed, which includes authentication (knowing who you're talking to), integrity (information isn't tampered with by third parties) and confidentiality (no eavesdropping). It therefore proposes three guidelines:

  • The Web platform should be designed to actively prefer secure communication — typically, by encouraging use of https:// URLs instead of http:// ones (although exceptions like localhost do exist).
  • Barriers to adopting https:// should be removed where feasible.
  • The end-to-end nature of TLS encryption must not be compromised on the Web, in order to preserve trust.

The statement also describes how these recommendations can be applied in various areas of Web standardisation, inside and outside W3C.

One subtle difference between the statements from the W3C TAG and the IAB is that the former considers authentication inseparable from encryption, while the latter says that, if authentication is not possible, it is still useful to encrypt. (It doesn't stop an active attacker, but does help against a passive one, i.e., one that does not attempt to modify the communication, but only listens in.) This so-called Opportunistic Security was one of the recommendations from the STRINT workshop.

This difference may be due to the fact that the W3C TAG considers only the Web, where by far the most used protocol is HTTP, whose encrypted version, HTTPS, includes authentication; while the IAB considers all Internet protocols, many of which have no encrypted variant at all yet. The W3C TAG does, however, mention that the authentication provided by HTTPS needs improvements and that there is work underway in that area.