Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques]

Hmm, I spoke with someone from MS who insisted they do not charge to
include certs in IE.  I'm still skeptical.

serge

Stephen Farrell wrote:
> 
> Well, we may need to be careful - people have paid large piles
> of money to get roots included (unless sanity's gotten
> contagious since I last looked, which'd be nice).
> 
> Could be all sorts of problems with trying to unify that list
> across browsers, or with asking one private-members club to
> maintain the list, much as it seems to make sense.
> 
> If a trust anchor management protocol does come into being,
> that'd provide a more broadly applicable answer.
> 
> I think the idea of commensurate security across different
> devices for the same service, really does make a lot of sense.
> (Good catch.)
> 
> S.
> 
> Serge Egelman wrote:
>> Yeah, I agree completely.  I guess what I meant was, when determining
>> which trust anchors to use in a given browser, we should recommend that
>> CABForum maintains this set of certificates.  But that'll just be one of
>> many recommendations in this area.  Obviously using the same certificate
>> on the same website across different platforms would be another one.
>>
>> serge
>>
>> Luis Barriga wrote:
>>> Well, it certainly makes sense intuitively, but reality doesn't.
>>>
>>> There is a related issue that I also discovered: Yahoo mail service
>>> protects login pages with TLS, but the corresponding mobile version
>>> doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs.
>>> "mobile.yahoo.com >> mail" (on a smartphone).
>>>
>>> Thus we need another (obvious?) recommendation on TLS consistency
>>> across devices?
>>>
>>> It probably makes sense to group all these consistency across-devices
>>> recommendations.
>>>
>>> Luis
>>>
>>> -----Original Message-----
>>> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
>>> Sent: Mon 2007-10-15 22:06
>>> To: Johnathan Nightingale
>>> Cc: Ian Fette; Web Security Context Working Group WG
>>> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency
>>> Across Devices?   [Techniques]
>>>  
>>>
>>> We should just say that CABForum is responsible for this :)
>>>
>>> serge
>>>
>>> Johnathan Nightingale wrote:
>>>> Yeah, but even with trust anchors there are things like certs with
>>>> multiple signing chains which not all pki stacks can handle, and there
>>>> are also plausible policy-based differences, like a user agent that
>>>> decided to only accept roots from CAs that offer service guarantees on
>>>> their OCSP servers.
>>>>
>>>> Don't get me wrong, I totally support including this as a Best
>>>> Practice,
>>>> it falls under "just makes sense" for me - but I'm also happy it's a
>>>> best practice, not mandatory, normative language, since that would
>>>> probably make compliance with the spec unrealistic for some authors.
>>>>
>>>> Cheers,
>>>>
>>>> J
>>>>
>>>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
>>>>
>>>>> Uhhh, this is just about trust anchors (e.g. root certificates),
>>>>> not the
>>>>> other proposals.
>>>>>
>>>>> serge
>>>>>
>>>>> Ian Fette wrote:
>>>>>> Provided that it makes sense for the context. i.e. half of these
>>>>>> recommendations I think would be nightmarish on a mobile device if
>>>>>> you
>>>>>> just take the desktop implementation and tried to use it with
>>>>>> mobile. I
>>>>>> think consistency is good, but "making sense" on the native
>>>>>> platform is
>>>>>> certainly going to have to be higher priority if we are to expect
>>>>>> adoption.
>>>>>>
>>>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
>>>>>> <mailto:egelman@cs.cmu.edu>> wrote:
>>>>>>
>>>>>>
>>>>>>     I would certainly agree to this recommendation.
>>>>>>
>>>>>>     serge
>>>>>>
>>>>>>     Web Security Context Working Group Issue Tracker wrote:
>>>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>>>>>     Devices? [Techniques]
>>>>>>> http://www.w3.org/2006/WSC/track/issues/
>>>>>>>
>>>>>>> Raised by: Luis Barriga
>>>>>>> On product: Techniques
>>>>>>>
>>>>>>> At the f2f meeting I mentioned one of the findings on
>>>>>>     smart-phones: the pre-provisioned trust anchors in smartphones
>>>>>> are
>>>>>>     disjoint from the ones in desktop browsers. The opposite is valid
>>>>>> too.
>>>>>>> As a result, users visiting the one site on a smartphone and on a
>>>>>>     desktop browser will see TLS warnings that they has not seen
>>>>>>     previously when visiting the same site. (Trust is temporary
>>>>>> unavailable)
>>>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>>>>>     Anchor Consistency across devices" that basically recommends
>>>>>> browser
>>>>>>     vendors, phone manufacturers etc to have a consistent set of
>>>>>>     pre-provisioned trust anchors?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>     --
>>>>>>     /*
>>>>>>     Serge Egelman
>>>>>>
>>>>>>     PhD Candidate
>>>>>>     Vice President for External Affairs, Graduate Student Assembly
>>>>>>     Carnegie Mellon University
>>>>>>
>>>>>>     Legislative Concerns Chair
>>>>>>     National Association of Graduate-Professional Students
>>>>>>     */
>>>>>>
>>>>>>
>>>>> --/*
>>>>> Serge Egelman
>>>>>
>>>>> PhD Candidate
>>>>> Vice President for External Affairs, Graduate Student Assembly
>>>>> Carnegie Mellon University
>>>>>
>>>>> Legislative Concerns Chair
>>>>> National Association of Graduate-Professional Students
>>>>> */
>>>>>
>>>> ---
>>>> Johnathan Nightingale
>>>> Human Shield
>>>> johnath@mozilla.com
>>>>
>>>>
>>>>
>>

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 15 October 2007 22:05:09 UTC