Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques]

• From: Johnathan Nightingale <johnath@mozilla.com>
• Date: Mon, 15 Oct 2007 21:25:08 -0400
• To: Serge Egelman <egelman@cs.cmu.edu>
• CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Web Security Context Working Group WG <public-wsc-wg@w3.org>
• Message-ID: <471412F4.1000907@mozilla.com>

I know that we (Mozilla) don't charge for inclusion, but I also know 
that Netscape did, a decade ago, so it wouldn't surprise me if the 
reputations from those days persist.

I agree with Stephen's point though, that CABForum isn't really a great 
body to which to punt, here.  It's not a standards-body in the same way 
that the w3c or IETF is - it's a consortium of mostly for-profit 
companies trying to agree on a set of guidelines for a value-added 
product.  We participate strictly because and only so long as we see 
value to our users in having that standard in place, I imagine the other 
browser vendors have similar sentiments.  We've supported the move to 
push the EV guidelines out to a more traditional organization for 
standardization precisely because the CABForum isn't really built for that.

Asking them to maintain a list of trust anchors would create a pretty 
sizable conflict of interest for them, since it is in their direct 
financial interest to keep themselves on it, and their competitors off. 
  It might even represent an antitrust issue, actually.

I think a best practice statement that a) reflects the benefits of 
considering the existing trust ecosystem, and b) outlines the risks of 
diverging heavily from it, is the right way to go.  Because it's not 
normative, the precise implementation details don't need to be spec'd 
out, nor do we need to point to a list.

Again, at the end of the day, I think having language like this in the 
recs is a really good idea, I just don't want to create any railroad 
monopolies in the process.  :)

Cheers,

J

Serge Egelman wrote:
> Hmm, I spoke with someone from MS who insisted they do not charge to
> include certs in IE.  I'm still skeptical.
> 
> serge
> 
> Stephen Farrell wrote:
>> Well, we may need to be careful - people have paid large piles
>> of money to get roots included (unless sanity's gotten
>> contagious since I last looked, which'd be nice).
>>
>> Could be all sorts of problems with trying to unify that list
>> across browsers, or with asking one private-members club to
>> maintain the list, much as it seems to make sense.
>>
>> If a trust anchor management protocol does come into being,
>> that'd provide a more broadly applicable answer.
>>
>> I think the idea of commensurate security across different
>> devices for the same service, really does make a lot of sense.
>> (Good catch.)
>>
>> S.
>>
>> Serge Egelman wrote:
>>> Yeah, I agree completely.  I guess what I meant was, when determining
>>> which trust anchors to use in a given browser, we should recommend that
>>> CABForum maintains this set of certificates.  But that'll just be one of
>>> many recommendations in this area.  Obviously using the same certificate
>>> on the same website across different platforms would be another one.
>>>
>>> serge
>>>
>>> Luis Barriga wrote:
>>>> Well, it certainly makes sense intuitively, but reality doesn't.
>>>>
>>>> There is a related issue that I also discovered: Yahoo mail service
>>>> protects login pages with TLS, but the corresponding mobile version
>>>> doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs.
>>>> "mobile.yahoo.com >> mail" (on a smartphone).
>>>>
>>>> Thus we need another (obvious?) recommendation on TLS consistency
>>>> across devices?
>>>>
>>>> It probably makes sense to group all these consistency across-devices
>>>> recommendations.
>>>>
>>>> Luis
>>>>
>>>> -----Original Message-----
>>>> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
>>>> Sent: Mon 2007-10-15 22:06
>>>> To: Johnathan Nightingale
>>>> Cc: Ian Fette; Web Security Context Working Group WG
>>>> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency
>>>> Across Devices?   [Techniques]
>>>>  
>>>>
>>>> We should just say that CABForum is responsible for this :)
>>>>
>>>> serge
>>>>
>>>> Johnathan Nightingale wrote:
>>>>> Yeah, but even with trust anchors there are things like certs with
>>>>> multiple signing chains which not all pki stacks can handle, and there
>>>>> are also plausible policy-based differences, like a user agent that
>>>>> decided to only accept roots from CAs that offer service guarantees on
>>>>> their OCSP servers.
>>>>>
>>>>> Don't get me wrong, I totally support including this as a Best
>>>>> Practice,
>>>>> it falls under "just makes sense" for me - but I'm also happy it's a
>>>>> best practice, not mandatory, normative language, since that would
>>>>> probably make compliance with the spec unrealistic for some authors.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> J
>>>>>
>>>>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
>>>>>
>>>>>> Uhhh, this is just about trust anchors (e.g. root certificates),
>>>>>> not the
>>>>>> other proposals.
>>>>>>
>>>>>> serge
>>>>>>
>>>>>> Ian Fette wrote:
>>>>>>> Provided that it makes sense for the context. i.e. half of these
>>>>>>> recommendations I think would be nightmarish on a mobile device if
>>>>>>> you
>>>>>>> just take the desktop implementation and tried to use it with
>>>>>>> mobile. I
>>>>>>> think consistency is good, but "making sense" on the native
>>>>>>> platform is
>>>>>>> certainly going to have to be higher priority if we are to expect
>>>>>>> adoption.
>>>>>>>
>>>>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
>>>>>>> <mailto:egelman@cs.cmu.edu>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>     I would certainly agree to this recommendation.
>>>>>>>
>>>>>>>     serge
>>>>>>>
>>>>>>>     Web Security Context Working Group Issue Tracker wrote:
>>>>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>>>>>>     Devices? [Techniques]
>>>>>>>> http://www.w3.org/2006/WSC/track/issues/
>>>>>>>>
>>>>>>>> Raised by: Luis Barriga
>>>>>>>> On product: Techniques
>>>>>>>>
>>>>>>>> At the f2f meeting I mentioned one of the findings on
>>>>>>>     smart-phones: the pre-provisioned trust anchors in smartphones
>>>>>>> are
>>>>>>>     disjoint from the ones in desktop browsers. The opposite is valid
>>>>>>> too.
>>>>>>>> As a result, users visiting the one site on a smartphone and on a
>>>>>>>     desktop browser will see TLS warnings that they has not seen
>>>>>>>     previously when visiting the same site. (Trust is temporary
>>>>>>> unavailable)
>>>>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>>>>>>     Anchor Consistency across devices" that basically recommends
>>>>>>> browser
>>>>>>>     vendors, phone manufacturers etc to have a consistent set of
>>>>>>>     pre-provisioned trust anchors?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>     --
>>>>>>>     /*
>>>>>>>     Serge Egelman
>>>>>>>
>>>>>>>     PhD Candidate
>>>>>>>     Vice President for External Affairs, Graduate Student Assembly
>>>>>>>     Carnegie Mellon University
>>>>>>>
>>>>>>>     Legislative Concerns Chair
>>>>>>>     National Association of Graduate-Professional Students
>>>>>>>     */
>>>>>>>
>>>>>>>
>>>>>> --/*
>>>>>> Serge Egelman
>>>>>>
>>>>>> PhD Candidate
>>>>>> Vice President for External Affairs, Graduate Student Assembly
>>>>>> Carnegie Mellon University
>>>>>>
>>>>>> Legislative Concerns Chair
>>>>>> National Association of Graduate-Professional Students
>>>>>> */
>>>>>>
>>>>> ---
>>>>> Johnathan Nightingale
>>>>> Human Shield
>>>>> johnath@mozilla.com
>>>>>
>>>>>
>>>>>
> 

Received on Tuesday, 16 October 2007 01:25:51 UTC