RE: Certificate Revocation in Java from Hill, Brad on 2013-03-06 (public-webappsec@w3.org from March 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Wed, 6 Mar 2013 17:10:18 +0000
To: "ben@digicert.com" <ben@digicert.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27955C72@DEN-EXDDA-S12.corp.ebay.com>

Ben,

Our charter here (as with the rest of the W3C) is concerned with the Open Web Platform, specifically technologies usually implemented in browsers to secure web applications (typically written in HTML + CSS + JavaScript).

While plugins like Java are a part of the Web, their behavior and features are proprietary, not specified by the W3C.

Thanks,

Brad Hill

From: Ben Wilson [mailto:ben@digicert.com]
Sent: Wednesday, March 06, 2013 8:40 AM
To: public-webappsec@w3.org
Subject: Certificate Revocation in Java

Is this within the scope of your charter / domain?
Malicious applet using stolen code signing cert still installs because Java has revocation checking turned off by default.
http://www.net-security.org/secworld.php?id=14557

Received on Wednesday, 6 March 2013 17:10:49 UTC