Re: ACTION-509 Cross-frame scripting notes for "Security Considerations" section from Mary Ellen Zurko on 2009-02-02 (public-wsc-wg@w3.org from February 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Mon, 2 Feb 2009 17:49:27 -0500
To: tyler.close@hp.com
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <OFB8C99E7D.480EFD7E-ON85257551.007C8CDE-85257551.007D60A5@LocalDomain>

Thanks Tyler. I get what you're getting at, but am struggling with the 
text. I've moved a bit around and tried to be a bit more explicit. I like 
this better; other opinions? : 

Under the browser's Same Origin policy, separately displayed webpages from 
the same origin can freely read and modify each other's state. A webpage's 
origin is comprised of the scheme, host and port of the URL used to 
retrieve the webpage. The origin does not take into account any attributes 
of the TLS session or server certificate used when retrieving a webpage. 
For example, consider a user agent that has loaded two webpages from 
https://www.example.com/. When the first page was retrieved, an Augmented 
Assurance Certificate (AAC) was used by the TLS session. When the second 
page was retrieved, a different certificate, such as a domain validated or 
self-signed certificate, was used. Though the first page was retrieved 
using an AAC certificate, the second page can freely read and write the 
first page. Differing security presentations of the two pages may obscure 
this relationship in the mind of the user. 

I would also love to close this paragraph with a line such as "Future 
security context presentations may find better ways to relay this complex 
information to the user in a useful fashion." 






From:
"Close, Tyler J." <tyler.close@hp.com>
To:
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Date:
01/28/2009 12:39 PM
Subject:
ACTION-509 Cross-frame scripting notes for "Security  Considerations" 
section
Sent by:
public-wsc-wg-request@w3.org




I recommend we extend section 8.6 "Mixing Augmented Assurance and 
Validated Certificates" with the following paragraph:

"""
Under the browser's Same Origin policy, separately displayed webpages from 
the same origin can freely read and modify each other's state. A webpage's 
origin is comprised of the scheme, host and port of the URL used to 
retrieve the webpage. The origin does not take into account any attributes 
of the TLS session or server certificate used when retrieving a webpage. 
This document recommends presentation of the security attributes of the 
TLS session used to retrieve a webpage. If separate webpages are retrieved 
using separate TLS sessions, their security presentations may differ, even 
though neither page can be trusted any more than the other. For example, 
consider a user agent that has loaded two webpages from 
https://www.example.com/. When the first page was retrieved, an Augmented 
Assurance Certificate (AAC) was used by the TLS session. When the second 
page was retrieved, a different certificate, such as a domain validated or 
self-signed certificate, was used. Though the first page was retrieved 
using an AAC certificate, it should not be trusted any more than the 
second page, since the second page can freely read and write the first 
page. Differing security presentations of the two pages may obscur this 
relationship in the mind of the user.
"""

This email completes ACTION-509.

--Tyler

Received on Monday, 2 February 2009 22:50:10 UTC