W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

RE: report on EV and SSL MITM proxying

From: peter williams <home_pw@msn.com>
Date: Mon, 21 Mar 2011 11:04:42 -0700
Message-ID: <SNT143-ds6E5F0032BA4922C8AAE5292B50@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>
CC: "'Yngve Nysaeter Pettersen'" <yngve@opera.com>, <public-xg-webid@w3.org>

Im not too worried about a profile pointing to offsite pictures, creating
multiple sessionids and multiple presentations client certs/sigs. (That was
Ryan's axis of argument, and his worry about our mission). That is a
traditional https issue known from the outset; about "mixed content." The
webby world has learned to address it, somehow. It's mixed up in the whole
open web => phishing issue set, which stumbles along somehow.

I'm more concerned with the core "foaf-ness" of webid, when RDFa is
specifically involved. The whole point of RDFa is that it works with the
"web we know today". In my [RDFa] foaf graph, I want now  to refer to the
openid/webid of my friends. Surely, this is what we intended, all along! I
want to define my own foaf group (which means referring to their foaf cards,
using webid-grade URIs)

So, the brightline test can be applied. What necessary condition can I
change so that the theorem flips from valid to invalid, with a change of
just one fact? (i.e. induce the contradiction...Engima bombe like.. and halt
that Turing machine...)

>From the description in the blog post, it appears to happens the moment I
add Henry's openid/webid to my foaf card - as represented in XHTML/RDfa.
Before I add the "EV-untrusted Henry", Opera apparently presents my own foaf
card (currently with no external refs) to the world as "EV-trustworthy". The
moment I associate with Henry, EV/Opera  tells the world I am ( i.e. my site
is) now untrustworthy - by withdrawing EV UI signals at the billion PCs
using opera. Remove the Henry card reference, I'm EV-trusted, again.
 
As we intended foaf card to be hosted on SSL sites (and optionally EV
sites), we seem to have learned something I certainly didn't know, before
today.

Can someone with EV site cooperate with me, so I can test things
empirically?  The blog posts I'm basing my reasoning are years old, and
perhaps life's changed meantime.

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Monday, March 21, 2011 10:05 AM
To: peter williams
Cc: 'Yngve Nysaeter Pettersen'; public-xg-webid@w3.org
Subject: Re: report on EV and SSL MITM proxying


On 21 Mar 2011, at 17:51, peter williams wrote:

> I think it all comes down to this:
> 
> If I have a foaf card in XHTML/RDFa (with my self-asserted pubkey) 
> hosted on an EV-site, and I (10s later) add the wrong party (pointing 
> to the webid of a person whose site has NO EV cert), my own site in 
> Opera now no longer shows the green-address bar when rendering my foaf 
> card in XTHML+RDFa. (10s ago, it did.)

(Just reading the above, hope I did not miss something important)

If your browser displays your RDFa foaf profile served by an EV hosted site,
then the browser should show that page as being an EV issued page, no matter
what resources that page points to.

That is the way current pages work.

If your foaf profile embeds remote things such as pictures served from
somewhere else, then the browser will probably show that the page contains
mixed content. Until a good UI and security mechanism for browsers handling
merged content appears this is where we will remain. I think Social Web
servers or light weight specialised clients will be the first to explore
trust with merged graphs.

Henry

Social Web Architect
http://bblfish.net/
Received on Monday, 21 March 2011 18:05:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 March 2011 18:05:16 GMT