reference for petname concept?

In:
http://www.w3.org/2008/09/24-wsc-minutes.html

We thought that the new petname text would take care of this LC comment: 

_________________________

Section 5.1.6: I have not used petnames, nor do I know much about their
usage in the context of this document, so treat the rest of this comment
as feedback tinged with curiosity from someone uninitiated with the
workings of W3C and unaware of how pervasive the petname concept is
in that domain (certainly, I do not think I have ran across a current
browser that uses petnames in its chrome.)  Please treat this as a
pure comment and not anything that needs resolution.

It seems to me that the petname is a concept layered on top of the
information present in X.509 certificates.  As such, it is a level of
abstraction above the X.509 certificate.   Especially, the petname
implementor would have to account for wildcards, delegation, etc.
If care is not taken to write a good implementation, then security could
be -- I think -- compromised by someone modifying the contents of the
petname database, or by other means.

If any action item results from this comment at all, it would
be along one or more references on more information into the
petname concept, especially any papers that outline the threat
model of using such a concept.  I Googled and ran across
http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname,
but that does not contain a threat analysis of this concept.  It
does, however, explain very well the concept of a petname.

_________________________

Is there a petname reference we could also put in? I believe that would be 
useful, and a good response to this part. 

Received on Friday, 2 January 2009 19:39:37 UTC