W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-272: self-signed certificates

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 30 Jul 2007 18:17:10 -0400
Message-ID: <46AE6366.2020809@cs.cmu.edu>
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org



Thomas Roessler wrote:
> On 2007-07-30 17:24:18 -0400, Mary Ellen Zurko wrote:
> 
>> I'm unclear how this interacts with other proposals in terms of
>> inputting data (particularly login credentials) the first few
>> times I visit such a site. It sounds like the recommendation
>> would make them look totally unidentified. Is that right? 
> 
> Yes, similar to Phil's "no-interaction" proposal:
> 
>   http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/NoSecurityIndicator
> 
> The additional idea in the self-signed certificate proposal is to
> actually turn on the indicators after a whlie, and maybe even warn
> (or block) if a self-signed certificate is changed.

But the users who are going to notice these types of indicators likely
already understand self-signed certificates.  The vast majority of the
users will never notice or understand these indicators.

And again, how is the self-signed certificate any more trustworthy than
a low-assurance certificate?  It would seem that the best solution
should be to *only* keep track of consistency.

> 
> There would also be a block page if a user hits a site for which a
> CA has been used in the past, but for which he now encounters a
> self-signed certificate.

Yes, this tracks consistency and is a reasonable idea.

> 
>> I think I'd need to consider this in the context of, say,
>> Identity Signal to understand the impact and implications.
> 
> Indeed.
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Monday, 30 July 2007 22:17:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT