- From: Thomas Roessler <tlr@w3.org>
- Date: Sat, 25 Aug 2007 12:14:53 +0200
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: public-wsc-wg@w3.org
On 2007-08-24 14:00:49 -0400, Mary Ellen Zurko wrote: > Section 5.1 http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#indicators > "User interactions to access this identity signal MUST be > consistent across all Web interactions, including interactions > during which the Web user agent has no trustworthy information > about the [[ identity ]] of the Web site that a user interacts > with. In this case, user agents SHOULD indicate that no > information is available. " > Taken literally, this looks suspiciously like a software problem > "no information is available" as opposed to an identity statement > "the identity is unknown or anonymous". True. I hear you suggesting that this should have an addition that says ", or the [[ identity ]] of the Web site is unknown"? > "During interactions with a TLS-secured Web page for which the > top-level resource has been retrieved through a strongly > TLS-protected interaction that involves an attested certificate, > the identity signal MUST include the Subject field's Organization > attribute to inform the user about the owner of the Web page, and > the Issuer field's Organization attribute to inform the user > about the party responsible for that information. " > > I could use references for organization attributes, what they > are, and why they're useful to the user. I'm guessing that anyone > steeped in PKIX thinks this is intuitively obvious to the casual > observer, but it's not to me. RFC 3280, sections 4.1.2.4, 4.1.2.6, and below that X.520 (to which I don't have easy access). Also, http://www.cabforum.org/contents.html: Organization name - This field must contain the Subject's (i.e., certificate holding entity's) full legal organization name as listed in the official records of the Incorporating Agency in the Subject's Jurisdiction of Incorporation. In addition, an assumed name or d/b/a (doing business as) name used by the Subject may be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. If the combination of the full legal organization name and the assumed or d/b/a name exceeds 64 bytes as defined by RFC 3280, the CA should use only the full legal organization name in the certificate. Essentially, it's the field that says what company you're dealing with. > Once I understand what's being said, I'm guessing I'm going to disagree. :) > If there is a user specified nicname, then that's certainly much more > meaningful (and to my mind secure against attacks that involve the user). > If "include" is meant to cover that, because the nicname would be > verified to be about something that includes those attributes, it > wasn't clear to me on a first reading. It isn't said currently, indeed. I think it would make sense to make a user-specified nickname another MUST; there is then a question whether that should be instead of the organization name or in addition to it. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#pageinfosummary > "Whether the user has visited the site in the past." > I'd like to see this as a MUST, though I recognize my reasons for > that are internally inconsistent. I believe this to be the most > critical piece of information for the vast majority of successful > attacks today. Yet in no scenario I've seen or believe in would a > user get to this information "in time". Why is it not a MUST? For no good reason. The current list is mostly there so we can start having discussions about moving elements. ;-) In terms of exploiting history, though, I hope that the form-filler inspired discussions that the PIIEditorBar should lead us to might lead to better ways to leverage history into warning users. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Saturday, 25 August 2007 10:15:11 UTC