W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

RE: report on EV and SSL MITM proxying

From: peter williams <home_pw@msn.com>
Date: Tue, 8 Mar 2011 09:58:41 -0800
Message-ID: <SNT143-ds16534B8FFB8046249CB61F92C60@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>
CC: <public-xg-webid@w3.org>
After 15 years of trying and 10 major vendors, isn't it a bit surprising
that none of them have reduced it to a trivial easy UI? It's so easy!

 

Hardly a logical argument; peter. Far too empirical!

 

Try to go through Ryan's argument; he actually answered you logically. In
defending EV, he distinguished it from other server certs that *some*
browsers will not clearly characterize as having been MITM'ed. Having thus
acknowledged the world of SSL MITMing as a fundamental threat, he then
suggested: perhaps look for user id protocols OTHER than TLS client authn.
He outlines how the world involving any cascade of SSL MITMing proxies
(needed for social/corporate "interests") interferes with end-end client
authn, precluding its use beyond interaction with the first proxy in the
sequence. He didn't say it, but this is not a real constrain if that proxy
is now a websso IDP, than translates the layer4 assertion into a layer 7
signed token that bypasses transport bridging.

 

Not really my words, and really not my argument. I just elicited the words
and arugment from folks that others here *should* find reputable.





 

From: Henry Story [mailto:henry.story@bblfish.net] 
Sent: Tuesday, March 08, 2011 12:03 AM
To: peter williams
Cc: public-xg-webid@w3.org
Subject: Re: report on EV and SSL MITM proxying

 

Some folks suggested that life would be all rosy, in webland, if the browser
displayed which client cert had been presented to a given website (per tab,
presumably). How come those over-complicating security designer types, just
don't do simple and obvious things, when its ALL so EASY if one just thinks
minimally and logically!

 

I have not seen an argument in what you have put forward that shows that
this is not an easy thing to do. The only arguments from browser vendors I
have heard, is that client certs are not widely used, and so it has not been
a priority for them.

 

 
Received on Tuesday, 8 March 2011 17:59:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 17:59:31 GMT