- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Wed, 7 Mar 2007 08:39:35 -0500
- To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'public-usable-authentication'" <public-usable-authentication@w3.org>
- Cc: "'EKR'" <ekr@networkresonance.com>, "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, <beltzner@mozilla.com>, "'Dan Schutzer'" <dan.schutzer@fstc.org>
- Message-ID: <007801c760be$0c8bf4e0$6500a8c0@dschutzer>
I think this is an important comment. If I understand it correctly, it is necessary if we wish to take steps to use strong (PKI) means of identifying a Website - which ultimately is necessary, and something the FI's are willing to do Dan Schutzer _____ From: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Wednesday, March 07, 2007 8:03 AM To: public-usable-authentication Cc: EKR; Hallam-Baker, Phillip; beltzner@mozilla.com Subject: Fw: Produce material on name-based virtual hosting and TLS Since this discussion involves non WG members, I'm moving it to the list for public comment. Thanks for bringing this up, Phil and Eric. I've got a couple of reactions. As phrased, part of this is more a recommendation. That does not belong in the Note, but it's good to start getting public comment (and WG comment) on what we want in our recommendations. We'll be setting up an area in our wiki soon to start holding these (just as we did to start holding potential draft sections of the note). And of course discussions of potential recommendations are archived on all the mailing lists. I'm trying to recast this to understand the general category of "problems with the status quo" this falls under (or if it really is unique). You can both help me with that. Would the general category be "technology restrictions that undermine consistent and usable deployment of existing sources of security context information"? (a bit of a mouthful; I'm sure we can cut it down once we understand it.) Or perhaps "error conditions are perceived as normal by users", with examples of why enough deployments deploy with errors in configuring their security context information that users find errors not surprising, which opens up another avenue of attack. This might also be related to our discussion of confirmation bias at http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0037.html Mike, did you have any concrete ideas on where we should slot that in in the Note? Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect ----- Forwarded by Mary Ellen Zurko/Westford/IBM on 03/07/2007 07:53 AM ----- "Hallam-Baker, Phillip" <pbaker@verisign.com> Sent by: public-wsc-wg-request@w3.org 03/06/2007 10:41 PM To "EKR" <ekr@networkresonance.com> cc <public-wsc-wg@w3.org> Subject RE: Produce material on name-based virtual hosting and TLS Does the protocol allow the client to state that it supports NBVH? If so the transition becomes smooth provided EV capable Web browsers also support NBVH as a matter of course. > -----Original Message----- > From: EKR [mailto:ekr@networkresonance.com] > Sent: Tuesday, March 06, 2007 6:53 PM > To: Hallam-Baker, Phillip > Cc: public-wsc-wg@w3.org > Subject: Re: Produce material on name-based virtual hosting and TLS > > Hallam-Baker, Phillip <pbaker@verisign.com> wrote: > > > (cc'd to EKR for comment) > > > > I thinbk we need a section 9.6 as follows > > > > 9.6 Cryptographic protocol limitations > > > > 9.6.1 Layering of HTTP on SSL requires a static IP address > per secured > > site > > > > IPv4 address space is a finite and increasingly scarce > resource. In order to reduce pressure on the IPv4 address > space the HTTP/1.1 protocol allows multiple domains to be > hosted on a single IP address. > > > > This feature is not fully supported when HTTP is layered on > SSL 3.0 or TLS 1.0. The HTTP URI or Host header specifying > the virtual domain to connect to is only transmitted after > the transport layer security negotiation is complete. This > configuration does not allow the server to vary the server > certificate presented unless a separate IP address is used per domain. > > > > This restriction is lifted in RFC 4366 S 3.1. Clients that > verify that the domain name of the certificate matches the > domain name of the site should be encouraged to support this > extension. > > > This seems pretty correct. It might be nice to mention that > servers can't safely use NBVH until client deployment becomes > ubiquitous. > > -Ekr >
Received on Wednesday, 7 March 2007 13:40:03 UTC