RE: [Policy] [ACTION-152] Editor Updates to Policy Requirements and Policy Framework

Hi Laura,

Now it is me that have to excuse for not answering earlier :-)

My comments apply to sections 3.3.1 and 3.3.2 of the Device API Policy Framework document (http://dev.w3.org/2009/dap/policy/) and are motivated by the requirement to be able to identify individual web applications by the Subject attributes. This is needed for specific use cases. See http://lists.w3.org/Archives/Public/public-device-apis/2010Apr/0084.html.


Issue 1 - Common Name versus whole Subject field:

I understand your points about the certificate's subject field. However, I mean that it would be possible to create a parser even though the fields within subject are order independent and may change. I mean that the configured policy could define the parts of the subject field that are needed for a full identification of the web application. For example, if Common Name is enough then the subject field only contains Common Name and only Common Name is used in the comparison with the certificate. If both Common Name and Organization is needed then both these fields are included in the configured policies subject field. For example: "CN=www.freesoft.org/emailAddress=baccala@freesoft.org O=Brent Baccala".

This would give a flexible solution and give the possibility to have an identification with a fine granularity when this is needed.

Issue 2 - Identification of a web site:

What I basically say is that it is not enough to state root certificate attributes, server certificate attributes are also needed. Furthermore I think that we have a terminology confusion. Isn't the commonly used term for a site's certificate "server certificate"? However, in 3.3.2 it is called "site certificate" and 3.3.1 refers to "distributor". I suggest a consistent naming.

I suggest adding the following to the table in 3.3.2:

key-server-subject: The subject field of the server certificate. Empty bag if none.
key-server-fingerprint: The fingerprint of the server certificate. Empty bag if none.

Issue 3 - Fingerprint:

Doesn't the hash-method need to be stated?

Best regards
  Claes

  
> -----Original Message-----
> From: Arribas, Laura, VF-Group [mailto:Laura.Arribas@vodafone.com]
> Sent: onsdag den 5 maj 2010 15:29
> To: Nilsson, Claes1; W3C Device APIs and Policy WG
> Subject: RE: [Policy] [ACTION-152] Editor Updates to Policy
> Requirements and Policy Framework
> 
> Hi Claes,
> 
> Sorry for the delay answering to your e-mail. Please find my comments
> below.
> 
> > Section 3.3.1 Widget Attributes:
> > * Why is only "common name" used for distributor, distributor root,
> author and author root certificates? Don't we the whole "subject" to
> get
> a more flexible identification of a widget resource?
> I see your point and agree that considering the whole subject for the
> root certificates may make more sense, since the subject for the root
> certificates it very likely to stay the same. However, for other
> certificates I don't believe using the whole subject to identify a
> widget is the best option, since: i) the probability that the fields in
> the subject change is very high; ii) according to the standards the
> fields in the subject are order independent, which means that when
> comparing the content of the subject with the policy, a different order
> could mean that the subject-match is not met even if the subject fields
> have the same values; iii) there is no limit on the size of the subject,
> which could potentially be a problem.
> 
> > Section 3.3.2 Website Attributes:
> > In order to securely identify a web site and achieve the granularity
> of a specific web application, don't we need attributes for the site's
> server certificate? I also suggest that server certificate attributes
> are added:
> > * Suggest that the whole "subject" is used instead of only "common
> name" for the root certificate.
> Agree in the case of the root certificate.
> > * Suggest to add: key-server-subject: The subject field of the server
> certificate chained to by the site certificate. Empty bag if none.
> Sorry I don't understand this comment... What is the difference between
> the site certificate and the server certificate?
> > * Suggest to add: key-server-fingerprint: The fingerprint of the root
> certificate chained to by the site certificate. Empty bag if none.
> Do you mean "server certificate"?
> 
> Let me know what you think.
> 
> Thanks,
> 
> Laura

Received on Thursday, 20 May 2010 13:16:54 UTC