W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-272: self-signed certificates

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 30 Jul 2007 18:17:10 -0400
Message-ID: <46AE6366.2020809@cs.cmu.edu>
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org

Thomas Roessler wrote:
> On 2007-07-30 17:24:18 -0400, Mary Ellen Zurko wrote:
>> I'm unclear how this interacts with other proposals in terms of
>> inputting data (particularly login credentials) the first few
>> times I visit such a site. It sounds like the recommendation
>> would make them look totally unidentified. Is that right? 
> Yes, similar to Phil's "no-interaction" proposal:
>   http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/NoSecurityIndicator
> The additional idea in the self-signed certificate proposal is to
> actually turn on the indicators after a whlie, and maybe even warn
> (or block) if a self-signed certificate is changed.

But the users who are going to notice these types of indicators likely
already understand self-signed certificates.  The vast majority of the
users will never notice or understand these indicators.

And again, how is the self-signed certificate any more trustworthy than
a low-assurance certificate?  It would seem that the best solution
should be to *only* keep track of consistency.

> There would also be a block page if a user hits a site for which a
> CA has been used in the past, but for which he now encounters a
> self-signed certificate.

Yes, this tracks consistency and is a reasonable idea.

>> I think I'd need to consider this in the context of, say,
>> Identity Signal to understand the impact and implications.
> Indeed.

Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
Received on Monday, 30 July 2007 22:17:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:17 UTC