W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

RE: report on EV and SSL MITM proxying

From: peter williams <home_pw@msn.com>
Date: Tue, 8 Mar 2011 13:17:26 -0800
Message-ID: <SNT143-ds1D602506C9D62D69CFB2492C60@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>
CC: "'Yngve Nysaeter Pettersen'" <yngve@opera.com>, <public-xg-webid@w3.org>
Ok. I'm starting to feel that it's worth it. I  feel we have gone from
denial, ostrich-head-in-the-sand, and religious statements about ideals, to
figuring what 1% we can add to the pretty sordid baseline that makes it
better.

What's good about https today, unlike 15 years ago, is that we are all
inverting the paradigm: that any browser is also a server (and thus issuing
a user cert is one of issuing a "server" cert, if you look backwards through
the looking glass).

This is why I think we get to struggle with user certs for client authn ,
and EV certs for server auth. Because, increasingly, they are one and the
same thing (once everyone has their own site).

Now comes the policy aspect, as someone indicated. And, here I don't know
how to deal with it, in issues. It goes to the heart of what W3C is about, I
suspect.

There are THOSE who BY POLICY do not wish to see a world in which folks can
peer, without intermediation, particularly when its crypto-peering. How do
we deal with that here? 

Usually, it means punting to a "trust framework" in which different policies
can co-exist (much like RFC 1422 was the unstated, de-facto, multi-policy
trust framework for the web and its use of certs). Is this the cue for us to
become more involved in the discussions on "trust frameworks", and have an
opinion? Should that opinion be 40% user, 60% corporate biased (hoping to
cancel out the dominant corporate biases of other groups) - aiming to find a
middle ground somewhere that simply works to avoid: 1% user, 99% corporate,
like the 1960s phone systems?

Is there an alliance to be had with CAB Forum on formulating "revised policy
for firewalls" which can accommodate webid SSL sessions, perhaps? After all,
that's where all the browser vendors are, when they are thinking about
https.



-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Tuesday, March 08, 2011 11:57 AM
To: peter williams
Cc: 'Yngve Nysaeter Pettersen'; public-xg-webid@w3.org
Subject: Re: report on EV and SSL MITM proxying


On 8 Mar 2011, at 20:37, peter williams wrote:

> So, the trick to SSL MITMing is to stop thinking that the SSL MITM 
> properties (setup for document retrieval) have to make life difficult 
> for client authn. There CAN be multiple sessions, distinguished by 
> function. One can be intermediated, one note. One can hope EV solves the
"intermediated"
> issues, for the document retrieval function. One can hope that 
> firewall vendors (and society) can be persuade of the logic of not 
> interfering with those sessions aiming at user-authn to public sites.

yes, this is an interesting idea to add to  ISSUE-28: How does the WebID
protocol interact with TLS proxies & firewalls

The other trick was the Proxy Certificates we discussed last week I think.
http://www.ietf.org/rfc/rfc3820.txt

And there is also the option of thinking of the firewall as being your
larger Operating system. Your computer is a small process in the company
computer, and you are an agent in that larger space. If that is a correct
way to describe your situation then it's perfectly ok if the larger OS
controls your CA list, and and controls your WebID.

Someone could put this altogether and write up a page on the wiki to detail
these options.

	Henry


Social Web Architect
http://bblfish.net/
Received on Tuesday, 8 March 2011 21:18:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 21:18:23 GMT