Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] from Ian Fette on 2007-10-15 (public-wsc-wg@w3.org from October 2007)

From: Ian Fette <ifette@google.com>
Date: Mon, 15 Oct 2007 14:45:13 -0700
To: "Serge Egelman" <egelman@cs.cmu.edu>
Cc: "Luis Barriga" <luis.barriga@ericsson.com>, "Johnathan Nightingale" <johnath@mozilla.com>, "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <bbeaa26f0710151445k264e0051p3adb798aeb0a0549@mail.gmail.com>
I don't necessarily agree with throwing the decision over to CABForum. The
browser vendor is the one (currently) who makes the call as to what certs to
include, because they're vouching for that CA (at least, in the eyes of the
user). Might be a hard sell.

-Ian

On 10/15/07, Serge Egelman <egelman@cs.cmu.edu> wrote:
>
> Yeah, I agree completely.  I guess what I meant was, when determining
> which trust anchors to use in a given browser, we should recommend that
> CABForum maintains this set of certificates.  But that'll just be one of
> many recommendations in this area.  Obviously using the same certificate
> on the same website across different platforms would be another one.
>
> serge
>
> Luis Barriga wrote:
> > Well, it certainly makes sense intuitively, but reality doesn't.
> >
> > There is a related issue that I also discovered: Yahoo mail service
> protects login pages with TLS, but the corresponding mobile version doesn't.
> Check it yourself: mail.yahoo.com (on a desktop) vs. "mobile.yahoo.com >>
> mail" (on a smartphone).
> >
> > Thus we need another (obvious?) recommendation on TLS consistency across
> devices?
> >
> > It probably makes sense to group all these consistency across-devices
> recommendations.
> >
> > Luis
> >
> > -----Original Message-----
> > From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
> > Sent: Mon 2007-10-15 22:06
> > To: Johnathan Nightingale
> > Cc: Ian Fette; Web Security Context Working Group WG
> > Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
> Devices?   [Techniques]
> >
> >
> > We should just say that CABForum is responsible for this :)
> >
> > serge
> >
> > Johnathan Nightingale wrote:
> >> Yeah, but even with trust anchors there are things like certs with
> >> multiple signing chains which not all pki stacks can handle, and there
> >> are also plausible policy-based differences, like a user agent that
> >> decided to only accept roots from CAs that offer service guarantees on
> >> their OCSP servers.
> >>
> >> Don't get me wrong, I totally support including this as a Best
> Practice,
> >> it falls under "just makes sense" for me - but I'm also happy it's a
> >> best practice, not mandatory, normative language, since that would
> >> probably make compliance with the spec unrealistic for some authors.
> >>
> >> Cheers,
> >>
> >> J
> >>
> >> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
> >>
> >>> Uhhh, this is just about trust anchors (e.g. root certificates), not
> the
> >>> other proposals.
> >>>
> >>> serge
> >>>
> >>> Ian Fette wrote:
> >>>> Provided that it makes sense for the context. i.e. half of these
> >>>> recommendations I think would be nightmarish on a mobile device if
> you
> >>>> just take the desktop implementation and tried to use it with mobile.
> I
> >>>> think consistency is good, but "making sense" on the native platform
> is
> >>>> certainly going to have to be higher priority if we are to expect
> >>>> adoption.
> >>>>
> >>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
> >>>> <mailto:egelman@cs.cmu.edu>> wrote:
> >>>>
> >>>>
> >>>>     I would certainly agree to this recommendation.
> >>>>
> >>>>     serge
> >>>>
> >>>>     Web Security Context Working Group Issue Tracker wrote:
> >>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
> >>>>     Devices? [Techniques]
> >>>>> http://www.w3.org/2006/WSC/track/issues/
> >>>>>
> >>>>> Raised by: Luis Barriga
> >>>>> On product: Techniques
> >>>>>
> >>>>> At the f2f meeting I mentioned one of the findings on
> >>>>     smart-phones: the pre-provisioned trust anchors in smartphones
> are
> >>>>     disjoint from the ones in desktop browsers. The opposite is valid
> >>>> too.
> >>>>> As a result, users visiting the one site on a smartphone and on a
> >>>>     desktop browser will see TLS warnings that they has not seen
> >>>>     previously when visiting the same site. (Trust is temporary
> >>>> unavailable)
> >>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
> >>>>     Anchor Consistency across devices" that basically recommends
> browser
> >>>>     vendors, phone manufacturers etc to have a consistent set of
> >>>>     pre-provisioned trust anchors?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>     --
> >>>>     /*
> >>>>     Serge Egelman
> >>>>
> >>>>     PhD Candidate
> >>>>     Vice President for External Affairs, Graduate Student Assembly
> >>>>     Carnegie Mellon University
> >>>>
> >>>>     Legislative Concerns Chair
> >>>>     National Association of Graduate-Professional Students
> >>>>     */
> >>>>
> >>>>
> >>> --/*
> >>> Serge Egelman
> >>>
> >>> PhD Candidate
> >>> Vice President for External Affairs, Graduate Student Assembly
> >>> Carnegie Mellon University
> >>>
> >>> Legislative Concerns Chair
> >>> National Association of Graduate-Professional Students
> >>> */
> >>>
> >> ---
> >> Johnathan Nightingale
> >> Human Shield
> >> johnath@mozilla.com
> >>
> >>
> >>
> >
>
> --
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>
Received on Monday, 15 October 2007 21:45:31 UTC