RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

It has been nearly two months since you gave us your last update.  Can you give us a current update on the status of ACTION-93?

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596 Fax: (425) 936-7329

From: Bob Lund [mailto:B.Lund@CableLabs.com]
Sent: Friday, August 14, 2015 11:29 AM
To: Mark Watson
Cc: Paul Cotton; public-html-media@w3.org
Subject: Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

Mark,

We want to do a little more vetting of the solution before opening it to a broader discussion.

Bob

From: Mark Watson <watsonm@netflix.com<mailto:watsonm@netflix.com>>
Date: Thursday, August 13, 2015 at 10:14 AM
To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>, "<public-html-media@w3. org<mailto:public-html-media@w3.%20org>>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

Bob,

Could you elaborate on the potential solutions ? We have the same issue in the Second Screen working group, for direct LAN communication between browser and second screen devices.

...Mark

On Thu, Aug 13, 2015 at 9:08 AM, Bob Lund <B.Lund@cablelabs.com<mailto:B.Lund@cablelabs.com>> wrote:
Paul and all,

This issue was created to engage the Web App Sec WG on the practical problem with HTTPS as the sole mechanism for establishing a privileged context in LANs, i.e.  how would one deploy millions of TLS server certificates in home network web server devices that would be trusted by commercial browsers, without user configuration.

We've been having discussions about potential solutions with a certificate authority and a home network device supplier. It appears that there are solutions that might work with existing browsers, DNS, home network devices and CA certificate processes. So at this point, there are no issues to raise with the Web App Security WG. It probably makes sense to close this issue at this time.

Bob

From: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>
Date: Thursday, August 6, 2015 at 8:19 AM

To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: "<public-html-media@w3. org<mailto:public-html-media@w3.%20org>>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

> Once that is completed, we'll know what action to take with WebAppSec.

Can you give us an update on ACTION-93 before the Aug 18 Media TF meeting when we will discuss EME topics?

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596<tel:%28425%29%20705-9596> Fax: (425) 936-7329<tel:%28425%29%20936-7329>

From: Bob Lund [mailto:B.Lund@CableLabs.com]
Sent: Monday, July 06, 2015 4:25 PM
To: Paul Cotton
Cc: public-html-media@w3.org<mailto:public-html-media@w3.org>
Subject: Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."



From: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>
Date: Monday, July 6, 2015 at 12:56 PM
To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: "<public-html-media@w3. org<mailto:public-html-media@w3.%20org>>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

Is there any change in the status of ACTION-93?

Some progress is being made. The essence of the problem is that HTTPS to home network web servers requires a sever HTTPS certificate that is in the client browser's trust store. Upcoming CAB Forum requirements will limit these types of certificates to hosts with FQDNs, which is not something home network hosts typically have. We are in the process of working with a CA to understand options and what impact, if any, these might have on browser requirements. Once that is completed, we'll know what action to take with WebAppSec.

Bob

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596<tel:%28425%29%20705-9596> Fax: (425) 936-7329<tel:%28425%29%20936-7329>

From: Bob Lund [mailto:B.Lund@CableLabs.com]
Sent: Monday, June 15, 2015 5:12 PM
To: Paul Cotton
Cc: public-html-media@w3.org<mailto:public-html-media@w3.org>
Subject: Re: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

Paul,

We're still assessing the specific issues regarding problems with HTTPS with home network devices. I don't have an update as to when we'll come to conclusions and submit a bug with the WebAppSec WG.

Bob

From: Paul Cotton <Paul.Cotton@microsoft.com<mailto:Paul.Cotton@microsoft.com>>
Date: Wednesday, June 10, 2015 at 10:00 PM
To: Bob Lund <b.lund@cablelabs.com<mailto:b.lund@cablelabs.com>>
Cc: "<public-html-media@w3. org<mailto:public-html-media@w3.%20org>>" <public-html-media@w3.org<mailto:public-html-media@w3.org>>
Subject: RE: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

You previously responded on Jun 1 that your were doing some private work on this matter before contacting the WebAppSec WG.  Can you give us any update?

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596<tel:%28425%29%20705-9596> Fax: (425) 936-7329<tel:%28425%29%20936-7329>

From: Paul Cotton [mailto:Paul.Cotton@microsoft.com]
Sent: Monday, June 01, 2015 5:03 PM
To: Bob Lund
Cc: public-html-media@w3.org<mailto:public-html-media@w3.org>
Subject: ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."

ACTION-93: Get in touch with webappsec wg about the "privileged context" which is more generic than saying https, etc."
http://www.w3.org/html/wg/media/track/actions/93<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.w3.org%2fhtml%2fwg%2fmedia%2ftrack%2factions%2f93&data=01%7c01%7cPaul.Cotton%40microsoft.com%7cbcaaebfc7bc5414fe9e808d2a4bd17e4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2buC0QBzYAd7WpAeF%2bUObO7UTuUgG4VqO8AjQAW2k86Y%3d>

Can you provide an update on this action item from the May 19 TF meeting [1]?

/paulc

[1] http://www.w3.org/2015/05/19-html-media-minutes.html#item06<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.w3.org%2f2015%2f05%2f19-html-media-minutes.html%23item06&data=01%7c01%7cPaul.Cotton%40microsoft.com%7cbcaaebfc7bc5414fe9e808d2a4bd17e4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=cZ2alV%2bzutjIyHOGKGSwubQ1QeYeJGN9bS330tFTNS8%3d>

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (425) 705-9596<tel:%28425%29%20705-9596> Fax: (425) 936-7329<tel:%28425%29%20936-7329>

Received on Monday, 5 October 2015 22:03:42 UTC