W3C home > Mailing lists > Public > public-wsc-wg@w3.org > March 2008

RE: ISSUE-186 (Petname option): Give petname as an option in identity signal [wsc-xit]

From: Close, Tyler J. <tyler.close@hp.com>
Date: Fri, 14 Mar 2008 20:58:55 +0000
To: Thomas Roessler <tlr@w3.org>, "mzurko@us.ibm.com" <mzurko@us.ibm.com>
CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D075409D9C2@G6W0269.americas.hpqcorp.net>


Thomas Roessler wrote:
> On 2008-03-07 16:12:57 +0000, Web Security Context Working Group
> Issue Tracker wrote:
>
> > I propose adding petname to the recommendations in 6.1.
> > Specifically, the petname definition from the following email:
>
> > http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0025.html
>
> > with this normative text added to 6.1.2:
>
> > Information displayed in the identity signal MAY include a petname.
>
> Reviewing Tyler's message, I notice that this petname definition is
> (unlike what we have in the safe form bar) not currently tied to any
> certificates.

There are a couple reasons for this. The action only asked for a definition of a petname, not an implementation recommendation for X.509 certificates, so that's all I did. I also didn't venture beyond a definition because the implementation strategy I proposed generated controversy over the way it correlates certificate chains. Do we want to try to reach consensus on a petname <=> X.509 cert chain binding, or leave that to implementers?

>  So, for inclusion with 6.1.2:
>
> - Under what conditions should petnames, if present, be displayed?
>
> - Do we want to say anything about what the presence of petnames
>   should be keyed on?
>
> One direction could be the following:
>
> - Display when strong TLS (including "pinned" SSCs), don't display
>   when weak TLS (including unpinned SSCs)?
>
> - Key off domain name and/or certificate that's used.
>
> Note, incidentally, that this would help us fill another gap in
> 6.1.2 (that I'm realizing got introduced -- but rightly so -- when I
> cleaned up the relationship between validated and self-signed
> certificates): What do we do if there is strong TLS protection, but
> it doesn't involve a validated certificate?

Answering the above questions requires specifying the petname <=> X.509 binding. Are you saying the WG wants to try to put this in the first rec document? I'm willing to put a concrete proposal on the table, but will need some more time to do so. My memory of the last round of discussion is that the controversial techniques were: determining a correlation between cert chains based on reuse of a public key; and assuming the tuple (CA cert, end-entity DN - CN) is a GUID. I think there are still interesting proposals to be made that don't use these techniques. We could try another round of discussion on a proposal that doesn't use either of these techniques. Is that what you want to do?

--Tyler
Received on Friday, 14 March 2008 21:00:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 March 2008 21:00:21 GMT