Secure origins, high value code and data, and CAs providing reputational service from Jeffrey Walton on 2014-08-22 (public-webappsec@w3.org from August 2014)

From: Jeffrey Walton <noloader@gmail.com>
Date: Fri, 22 Aug 2014 19:51:45 -0400
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAH8yC8mE4HhrUArAW6AF-QBHCMJ=jtwcuU4AATXGc9SpS6ndfQ@mail.gmail.com>

As I understand it, (1) there's higher value code (like service
workers) trying to (2) handle higher value data (like location data);
and (3) authentication and authorization is coupled to HTTPS (by way
of public CAs).

Since both the code and data is higher value, will SOP-busting be
allowed, like CORS and XHR? Looking at "Defining secure-enough
origins" (http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0107.html)
it appears it will be allowed.

I know its business as usual, but now were are dealing with both
higher value code and data. And I'm wondering if its a good idea.

Stepping back a bit, is this a good idea? Should the bar be raised
since the code and data is higher value?

I think a leap is being made when using public CAs for authentication
and authorizations (transitivly from server certificates and HTTPS). I
don't like the idea of using public CAs as a reputational service. The
race to the bottom ensures there's almost no bar. Authorities like
Starcom offer Class 1 certs for no charge, so there's effectively no
bar for the savvy.

Do public CAs make those assertions? Should public CAs or their
products be used as a reputational service?

Should something like a self-authenticating URL be used? With a self
authenticating URL, the responsibility lies on the origin's website
operator, and not a public CA or a user.

In the presence of self-authenticating URL and if a developer includes
a third party library, then its becomes harder for the third party to
surreptitiously enjoy the benefits offered to [trusted] higher value
code and data.

Related, From Mr. Kemp
(http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0116.html):

    > ... most transactions today, whether over cleartext or not,
    > just go fine for both the user and the company. And where
    > they don't, shared-liability-based models such as that practised
    > by the credit-card industry seem also to work reasonably well
    > for all parties.

Just speculating... I think it goes fine because the user has an
expectation, but he/she is not aware the expectation was not met until
after the fact (if at all).

In US financial, the liability for the risk was legislated away from
the consumer. I don't think the same is going to patently apply to
non-financial transactions data or other technologies.

Jeff

Received on Friday, 22 August 2014 23:52:12 UTC