W3C home > Mailing lists > Public > public-wsc-wg@w3.org > May 2008

Re: ISSUE-169 Section 5.5.3 creates a burden on browsers to remember past certificates

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 9 May 2008 15:07:15 +0200
To: Johnathan Nightingale <johnath@mozilla.com>
Cc: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <20080509130715.GF26410@iCoaster.does-not-exist.org>

On 2008-05-09 09:00:51 -0400, Johnathan Nightingale wrote:

> That text makes it clear to me that Firefox 3, storing no
> historical TLS information, is "trivially compliant" with a
> section governing the use of it, if stored.  If the group is okay
> with "trivial compliance" here, then I think my text will work,
> and we can close the issue.  However, if people think that
> compliance with this spec *should* demand storage of historical 
> TLS information, then we should leave the text as-is (or even
> make it more explicit), close the issue, but recognize that
> Firefox 3 won't be a compliant implementation to point to.

I understood the spirit of the current text to be "you don't need to
store TLS information longer than other history information", which
seemed like a somewhat reasonable compromise, in particular in the
face of extensive browsing history storage in certain recent browsers.

As far as the treatment of self-signed certificates is concerned,
the "have been there before, saw domain validated certificate bit"
is rather crucial to the overall picture *if* pinning occurs
according to the spec, so I'm feeling quite uneasy about an approach
which effectively says "it's fine not to store that bit".

Sounds like we need to talk more about this in Oslo.

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Friday, 9 May 2008 13:07:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 May 2008 13:07:48 GMT