RE: Produce material on name-based virtual hosting and TLS from Dan Schutzer on 2007-03-07 (public-usable-authentication@w3.org from March 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Wed, 7 Mar 2007 08:39:35 -0500
To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'public-usable-authentication'" <public-usable-authentication@w3.org>
Cc: "'EKR'" <ekr@networkresonance.com>, "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, <beltzner@mozilla.com>, "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <007801c760be$0c8bf4e0$6500a8c0@dschutzer>

I think this is an important comment. If I understand it correctly, it is
necessary if we wish to take steps to use strong (PKI) means of identifying
a Website - which ultimately is necessary, and something the FI's are
willing to do

Dan Schutzer

  _____  

From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen
Zurko
Sent: Wednesday, March 07, 2007 8:03 AM
To: public-usable-authentication
Cc: EKR; Hallam-Baker, Phillip; beltzner@mozilla.com
Subject: Fw: Produce material on name-based virtual hosting and TLS

Since this discussion involves non WG members, I'm moving it to the list for
public comment.

Thanks for bringing this up, Phil and Eric. I've got a couple of reactions. 

As phrased, part of this is more a recommendation. That does not belong in
the Note, but it's good to start getting public comment (and WG comment) on
what we want in our recommendations. We'll be setting up an area in our wiki
soon to start holding these (just as we did to start holding potential draft
sections of the note). And of course discussions of potential
recommendations are archived on all the mailing lists. 

I'm trying to recast this to understand the general category of "problems
with the status quo" this falls under (or if it really is unique). You can
both help me with that. Would the general category be "technology
restrictions that undermine consistent and usable deployment of existing
sources of security context information"? (a bit of a mouthful; I'm sure we
can cut it down once we understand it.) Or perhaps "error conditions are
perceived as normal by users", with examples of why enough deployments
deploy with errors in configuring their security context information that
users find errors not surprising, which opens up another avenue of attack. 

This might also be related to our discussion of confirmation bias at
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0037.html

Mike, did you have any concrete ideas on where we should slot that in in the
Note? 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

----- Forwarded by Mary Ellen Zurko/Westford/IBM on 03/07/2007 07:53 AM
-----

"Hallam-Baker, Phillip" <pbaker@verisign.com> 
Sent by: public-wsc-wg-request@w3.org

03/06/2007 10:41 PM

To

"EKR" <ekr@networkresonance.com>

cc

<public-wsc-wg@w3.org>

Subject

RE: Produce material on name-based virtual hosting and TLS

Does the protocol allow the client to state that it supports NBVH? If so the
transition becomes smooth provided EV capable Web browsers also support NBVH
as a matter of course. 

> -----Original Message-----
> From: EKR [mailto:ekr@networkresonance.com] 
> Sent: Tuesday, March 06, 2007 6:53 PM
> To: Hallam-Baker, Phillip
> Cc: public-wsc-wg@w3.org
> Subject: Re: Produce material on name-based virtual hosting and TLS 
> 
> Hallam-Baker, Phillip <pbaker@verisign.com> wrote:
> 
> > (cc'd to EKR for comment)
> >  
> > I thinbk we need a section 9.6 as follows
> >  
> > 9.6 Cryptographic protocol limitations
> >  
> > 9.6.1 Layering of HTTP on SSL requires a static IP address 
> per secured 
> > site
> >  
> > IPv4 address space is a finite and increasingly scarce 
> resource. In order to reduce pressure on the IPv4 address 
> space the HTTP/1.1 protocol allows multiple domains to be 
> hosted on a single IP address.
> >  
> > This feature is not fully supported when HTTP is layered on 
> SSL 3.0 or TLS 1.0. The HTTP URI or Host header specifying 
> the virtual domain to connect to is only transmitted after 
> the transport layer security negotiation is complete. This 
> configuration does not allow the server to vary the server 
> certificate presented unless a separate IP address is used per domain.
> >  
> > This restriction is lifted in RFC 4366 S 3.1. Clients that 
> verify that the domain name of the certificate matches the 
> domain name of the site should be encouraged to support this 
> extension.
> 
> 
> This seems pretty correct. It might be nice to mention that 
> servers can't safely use NBVH until client deployment becomes 
> ubiquitous.
> 
> -Ekr
>

Received on Wednesday, 7 March 2007 13:40:03 UTC