W3C home > Mailing lists > Public > public-html-media@w3.org > August 2015

Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

From: Bob Lund <B.Lund@CableLabs.com>
Date: Thu, 13 Aug 2015 16:08:17 +0000
To: Paul Cotton <Paul.Cotton@microsoft.com>
CC: "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <D1F21CC6.54559%b.lund@cablelabs.com>
Paul and all,

This issue was created to engage the Web App Sec WG on the practical problem with HTTPS as the sole mechanism for establishing a privileged context in LANs, i.e.  how would one deploy millions of TLS server certificates in home network web server devices that would be trusted by commercial browsers, without user configuration.

We've been having discussions about potential solutions with a certificate authority and a home network device supplier. It appears that there are solutions that might work with existing browsers, DNS, home network devices and CA certificate processes. So at this point, there are no issues to raise with the Web App Security WG. It probably makes sense to close this issue at this time.

Bob

From: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>
Date: Thursday, August 6, 2015 at 8:19 AM
To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: "<public-html-media@w3. org>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

> Once that is completed, we'll know what action to take with WebAppSec.

Can you give us an update on ACTION-93 before the Aug 18 Media TF meeting when we will discuss EME topics?

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596 Fax: (425) 936-7329

From: Bob Lund [mailto:B.Lund@CableLabs.com]
Sent: Monday, July 06, 2015 4:25 PM
To: Paul Cotton
Cc: public-html-media@w3.org<mailto:public-html-media@w3.org>
Subject: Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."



From: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>
Date: Monday, July 6, 2015 at 12:56 PM
To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: "<public-html-media@w3. org<mailto:public-html-media@w3.%20org>>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

Is there any change in the status of ACTION-93?

Some progress is being made. The essence of the problem is that HTTPS to home network web servers requires a sever HTTPS certificate that is in the client browser's trust store. Upcoming CAB Forum requirements will limit these types of certificates to hosts with FQDNs, which is not something home network hosts typically have. We are in the process of working with a CA to understand options and what impact, if any, these might have on browser requirements. Once that is completed, we'll know what action to take with WebAppSec.

Bob

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596 Fax: (425) 936-7329

From: Bob Lund [mailto:B.Lund@CableLabs.com]
Sent: Monday, June 15, 2015 5:12 PM
To: Paul Cotton
Cc: public-html-media@w3.org<mailto:public-html-media@w3.org>
Subject: Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

Paul,

We're still assessing the specific issues regarding problems with HTTPS with home network devices. I don't have an update as to when we'll come to conclusions and submit a bug with the WebAppSec WG.

Bob

From: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>
Date: Wednesday, June 10, 2015 at 10:00 PM
To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: "<public-html-media@w3. org<mailto:public-html-media@w3.%20org>>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

You previously responded on Jun 1 that your were doing some private work on this matter before contacting the WebAppSec WG.  Can you give us any update?

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596 Fax: (425) 936-7329

From: Paul Cotton [mailto:Paul.Cotton@microsoft.com]
Sent: Monday, June 01, 2015 5:03 PM
To: Bob Lund
Cc: public-html-media@w3.org<mailto:public-html-media@w3.org>
Subject: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."
http://www.w3.org/html/wg/media/track/actions/93

Can you provide an update on this action item from the May 19 TF meeting [1]?

/paulc

[1] http://www.w3.org/2015/05/19-html-media-minutes.html#item06

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596 Fax: (425) 936-7329
Received on Thursday, 13 August 2015 16:08:49 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 13 August 2015 16:08:50 UTC