- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Wed, 5 Dec 2007 09:06:34 -0500
- To: "Doyle, Bill" <wdoyle@mitre.org>, "Johnathan Nightingale" <johnath@mozilla.com>
- Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B5801CB96E5@IMCSRV5.MITRE.ORG>
Saw that this was stored in my drafts folder - thought it was sent out last week. I have a question on what fields are considered trusted or the WSC considers trusted in a standard issued x.509 certificate. Several fields are mandatory and are part of the signature, these fields are noted below. 1. Name 2. Issuer name 3. Serial number 4. validity interval I am having a problem stating that any of the data in a standard X.509 cert besides what is provided by the CA is trusted (the CA can probably be tracked down). The process to obtain a standard X.509 certificates does not have inherent mechanisms to trust item 1 In EV certificates, the specification notes that the subject Identity has gone through a verification process. Because EV documents the identity verification process, seems that an EV identity can be considered trusted information. I can write a note that only trusted information is included in secure UI - When should WSC consider information trusted? Thx Bill D. ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill Sent: Tuesday, November 27, 2007 8:48 AM To: Johnathan Nightingale Cc: Mary Ellen Zurko; public-wsc-wg@w3.org Subject: RE: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI Thanks! ________________________________ From: Johnathan Nightingale [mailto:johnath@mozilla.com] Sent: Monday, November 26, 2007 6:29 PM To: Doyle, Bill Cc: Mary Ellen Zurko; public-wsc-wg@w3.org Subject: Re: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI Hey Bill, The guidelines specify the fields for which EV certificates make specific guarantees. http://cabforum.org/EV_Certificate_Guidelines.pdf Cheers, Johnathan On 26-Nov-07, at 4:20 PM, Doyle, Bill wrote: Johnathan, Do you have a link to the attributes required by EV certs? Thx B ________________________________ From: Johnathan Nightingale [mailto:johnath@mozilla.com] Sent: Wednesday, November 14, 2007 10:39 AM To: Doyle, Bill Cc: Mary Ellen Zurko; public-wsc-wg@w3.org Subject: Re: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI I'd agree that this sounds like a Robustness (§8) topic too. There is already an 8.2 though, so I would expect this to be 8.4. I would also point out that we should be clear here, because there are two kinds of mixing: - Mixing web content some of which was obtained over SSL and some of which was not - Displaying unverified certificate fields alongside verified fields, in certificate-based UI This action deals with the second one only, which is fine, but it should be made clear that we are talking about certificate contents, since "mixed content" usually refers to the first type. I'll also be interested to see how this phrasing ends up, because I wouldn't want us writing a recommendation that, for instance, makes browsers with a "View Certificate" button non-conforming since that UI will show all the fields of the cert, verified alongside unverified. If we want to specify presentation even in cases like that, we should be deliberate about it. Cheers, J On 14-Nov-07, at 10:04 AM, Doyle, Bill wrote: Section 8 Given the description of section 8 and 8.1 included below http://www.w3.org/TR/wsc-xit/#Robustness 8.1 Do not mix content and security indicators <http://www.w3.org/TR/wsc-xit/#site-identifying> add 8.2 Do not mix secure an insecure content in UI ... - blah - blah - Certificates include secure and non-secured content, non-secured certificate content should not be represented in secured areas of the UI ________________________________ From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] Sent: Wednesday, November 14, 2007 9:47 AM To: Doyle, Bill Cc: public-wsc-wg@w3.org Subject: RE: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI You're still not looking at the right document Bill. Please read my EVERY word :-) http://www.w3.org/TR/wsc-xit/ <http://www.w3.org/TR/wsc-xit/> Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect From: "Doyle, Bill" <wdoyle@mitre.org> To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> Cc: <public-wsc-wg@w3.org> Date: 11/14/2007 08:22 AM Subject: RE: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI ________________________________ could go under section 9 - problems with status quo Secured and non-secured content is mixed ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org <mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Mary Ellen Zurko Sent: Wednesday, November 14, 2007 7:50 AM To: Doyle, Bill Cc: public-wsc-wg@w3.org Subject: RE: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI I believe the referernce is to wsc-xit, not wsc-usecases. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html <http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html> And I agree; section 7 doesn't look like the right place to me. If it's about mixing trusted and untrusted info in certs; maybe sections 4 or 8? Johnathan, Thomas, Tyler - you were all on the discussion; any better recall? Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect From: "Doyle, Bill" <wdoyle@mitre.org> To: "Doyle, Bill" <wdoyle@mitre.org>, <public-wsc-wg@w3.org> Date: 11/09/2007 03:48 PM Subject: RE: ACTION-381: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI ________________________________ Seems like UI issues and mixing of trusted/untrusted information should go under this heading 2.5 Reliable presentation of security information <http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/#trusted-path> ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org <mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Doyle, Bill Sent: Friday, November 09, 2007 3:24 PM To: public-wsc-wg@w3.org Subject: ACTION-381: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI If I have this action right I am not sure if this belongs in section 7 - The section is titled Security Information Available to the User Agent Furthermore, section 7 has a heading titled "defined by user agent" and UI is defined by user agent. Is the WG making a statement that this particular UI decision should not be left up to browser developer community? I am thinking that section 7 is the inputs and UI is an output, UI is the application or use of security information. Do we need a new section? Cheers Bill D. --- Johnathan Nightingale Human Shield johnath@mozilla.com --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Wednesday, 5 December 2007 14:07:13 UTC