RE: Opera's three security levels from Doyle, Bill on 2006-11-20 (public-wsc-wg@w3.org from November 2006)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Mon, 20 Nov 2006 12:07:13 -0500
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <mikes@opera.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801250CA5@IMCSRV5.MITRE.ORG>

Mez,
 
Seems like the response from Michael ties into action item 18 that I am
writing up. I also felt that this topic could be expanded upon to
discuss general protection mechanisms that negotiated between the site
and the browser including SSL (ciphers and key lengths), PKI Cert with
some robustness standards that could be requested / applied.
 
 
Bill D.
wdoyle@mitre.org



________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Monday, November 20, 2006 11:51 AM
	To: mikes@opera.com
	Cc: public-wsc-wg@w3.org
	Subject: Re: Opera's three security levels
	
	

	Thanks. 
	
	One thing that jumps out at me is that it's not clear what the
user should and shouldn't do in situations where those various levels
occur. Do you have any actionable advice to the user associated with
these levels?
	        Mez
	
	
	
	
	
"Michael(tm) Smith" <mikes@opera.com> 
Sent by: public-wsc-wg-request@w3.org 

11/17/2006 05:35 AM

To
public-wsc-wg@w3.org 
cc
Subject
Opera's three security levels

	




	Below is a message from Opera's Yngve Pettersen that describes
the
	criteria that Opera browser uses for selecting the 1-3 number
	displayed within the padlock icon in Opera (to indicate the
	security level).
	
	----- Forwarded message from "Yngve N. Pettersen (Developer
Opera Software ASA)" <yngve@opera.com> -----
	
	Date: Thu, 16 Nov 2006 04:39:39 +0100
	To: "Michael(tm) Smith" <mikes@opera.com>
	Subject: Opera's 3 security levels
	From: "Yngve N. Pettersen (Developer Opera Software ASA)"
<yngve@opera.com>
	
	Hi,
	
	I see from the WSC minutes that you want this information:
	
	Level 0: At least one resource was loaded from an uncrypted
site, expect  
	for (Opera 8+) the first redirect as long as it is not a POST.
	
	Level 1: Chosen for
	
	 - 40 and 56 bit symmetric encryption (or below)
	 - anonymous ciphers
	 - authentication only.
	 - RSA/DH/DSA keys shorter than 900 bits (Opera 9+ can adjust
this in  
	   jumps of 100 bits as needed).
	 - Certificate warnings
	 - SSL v2 (any cipher)
	
	Level 2: RSA/DH/DSA keys between 900 (inclusive) and 1000 bits
(not  
	inclusive)
	
	Level 3:  requires all of these:
	
	 - 128 bit and more symmetric (including 3DES),
	 - 1000 bit or more RSA/DH/DSA (will be upgraded to 1020 bit as
soon as  
	   old RSA SSCA root has been phased out)
	 - Opera 9: No problems with OCSP validation (when used)
	
	OCSP problems (except revocation) results in a one level down
indication.
	
	In Opera 9.10 no padlock is displayed for https pages that have
level 2  
	(IIRC) or below.
	
	In Opera 9.0x level 2 and below will show a partial lock (open
in case of  
	mixed security) on grey background. Opera 8.x uses yellow
background for  
	all levels for a https page.
	
	-- 
	Sincerely,
	Yngve N. Pettersen
	 
	
********************************************************************
	Senior Developer                     Email: yngve@opera.com
	Opera Software ASA                   http://www.opera.com/
	Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
	
********************************************************************
	
	----- End forwarded message -----
	
	-- 
	Michael(tm) Smith
	Opera Software, Tokyo
	xmpp:smith@sideshowbarker.net
	irc://irc.freenode.net/mobile-web

Received on Monday, 20 November 2006 17:07:53 UTC