W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

Re: report on EV and SSL MITM proxying

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 21 Mar 2011 18:05:10 +0100
Cc: "'Yngve Nysaeter Pettersen'" <yngve@opera.com>, <public-xg-webid@w3.org>
Message-Id: <0F0DCD32-17AA-4572-AC2F-D8EFCA27C9BA@bblfish.net>
To: peter williams <home_pw@msn.com>

On 21 Mar 2011, at 17:51, peter williams wrote:

> I think it all comes down to this:
> 
> If I have a foaf card in XHTML/RDFa (with my self-asserted pubkey) hosted on
> an EV-site, and I (10s later) add the wrong party (pointing to the webid of
> a person whose site has NO EV cert), my own site in Opera now no longer
> shows the green-address bar when rendering my foaf card in XTHML+RDFa. (10s
> ago, it did.)

(Just reading the above, hope I did not miss something important)

If your browser displays your RDFa foaf profile served by an EV hosted site, then 
the browser should show that page as being an EV issued page, no matter what resources 
that page points to.

That is the way current pages work.

If your foaf profile embeds remote things such as pictures served from somewhere else,
then the browser will probably show that the page contains mixed content. Until a good
UI and security mechanism for browsers handling merged content appears this is where
we will remain. I think Social Web servers or light weight specialised clients will
be the first to explore trust with merged graphs.

Henry

Social Web Architect
http://bblfish.net/
Received on Monday, 21 March 2011 17:06:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 March 2011 17:06:49 GMT