W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

Re: report on EV and SSL MITM proxying

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 8 Mar 2011 20:57:00 +0100
Cc: "'Yngve Nysaeter Pettersen'" <yngve@opera.com>, <public-xg-webid@w3.org>
Message-Id: <F8C20D94-69EE-414A-94B7-36813C30A24E@bblfish.net>
To: peter williams <home_pw@msn.com>

On 8 Mar 2011, at 20:37, peter williams wrote:

> So, the trick to SSL MITMing is to stop thinking that the SSL MITM
> properties (setup for document retrieval) have to make life difficult for
> client authn. There CAN be multiple sessions, distinguished by function. One
> can be intermediated, one note. One can hope EV solves the "intermediated"
> issues, for the document retrieval function. One can hope that firewall
> vendors (and society) can be persuade of the logic of not interfering with
> those sessions aiming at user-authn to public sites.

yes, this is an interesting idea to add to  ISSUE-28: How does the WebID protocol interact with TLS proxies & firewalls

The other trick was the Proxy Certificates we discussed last week I think.
http://www.ietf.org/rfc/rfc3820.txt

And there is also the option of thinking of the firewall as being your larger Operating system. Your computer is a small process in the company computer, and you are an agent in that larger space. If that is a correct way to describe your situation then it's perfectly ok if the larger OS controls your CA list, and and controls your WebID.

Someone could put this altogether and write up a page on the wiki to detail these options.

	Henry


Social Web Architect
http://bblfish.net/
Received on Tuesday, 8 March 2011 19:57:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 19:57:37 GMT