W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

RE: cab forum guide; multiple handshakes vs. signed XRD + DANE; Lampson joint authority: cloud providers and webids

From: peter williams <home_pw@msn.com>
Date: Sun, 13 Feb 2011 13:43:17 -0800
Message-ID: <SNT143-ds1227DAEA3136A6232C707A92D10@phx.gbl>
To: "'WebID XG'" <public-xg-webid@w3.org>
EV, green address bars in UI, impact of SSL MITM on UI.

 

One can get some feeling for what the space has to offer by looking at
http://technet.microsoft.com/en-us/library/ee658156.aspx

 

Some of the highlight and questions I took away include:-

 

The SSL MITM agent will not talk to a webserver with a self-signed cert,
when acting as a SSL MITM agent. Presumably, it will talk on the downstream
tunnel  to an SSL server whose cert is signed by an enterprise-CA (which has
a self-signed  cert one level higher in the cert chain).

 

Does not _currently_ let the CA created using the products own tool chain
portray itself as a EV CA.

 

help required - the SSL MITM agent (TMG_ enables one to create a simple
authority-spoofing CA using either its own toolchain, or by leveraging a
Windows enterprise CA. Can one add the various EV-related extensions to the
trust anchors that define EVCA'ness - for those browsers whose trust stores
see that (EV-modified) trust anchor?

 

 

From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of peter williams
Sent: Sunday, February 13, 2011 10:13 AM
To: 'WebID XG'
Subject: cab forum guide; multiple handshakes vs. signed XRD + DANE; Lampson
joint authority: cloud providers and webids

 

Given issue 28, I'm assuming that any EV cert addresses the threat of SSL
MITM intermediaries - in the sense that those corporate SSL MITM sites using
such as the Microsoft Threat Management Gateway (TMG) while having an EV
cert themselves may not sign another site's EV public key (using the TMG's
"authority spoofing" power). After all, that undermines the whole point of
EV, since no green address bar would be present in the browser behind the
inspecting-firewall.

 
Received on Sunday, 13 February 2011 21:43:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC