W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT

From: Michael[tm] Smith <mike@w3.org>
Date: Tue, 21 Oct 2014 17:18:35 +0900
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
Message-ID: <20141021081835.GP4173@jay.w3.org>
Brad Hill <hillbrad@gmail.com>, 2014-10-20 10:00 -0700:
...
> The idea I was tossing around would be to have some different kind of
> secure introduction ceremony to replace the untrusted certificate
> dialog *for hosts on the local network only*.  Perhaps something like
> Bluetooth / WPS pairing, where the user could get a page that tells
> them this is a locally connected device and they have to enter a
> pairing code to trust it, with other-than-standard HTTPS UX treatment
> following, but less strict rules about mixed content blocking, etc.
> than an untrusted or HTTP connection would receive.
>
> There are a number of moving parts involved to get this right:
>   - definitely UI, which the W3C doesn't have a great history in, but
> perhaps which we can describe the requirements for without
> prescriptively specifying

If you/the group decide to document those kinds of requirements, anybody
involved would probably benefit from taking a look at the related previous
attempt in http://www.w3.org/TR/wsc-ui/

  --Mike

>   - thinking about what constitutes a "locally attached network
> device", how to detect and verify that, and how to manage subsequent
> accesses over a WAN
>   - some Fetch rules similar to Mixed Content
>   - perhaps a certificate extension to identify these devices

-- 
Michael[tm] Smith http://people.w3.org/mike

Received on Tuesday, 21 October 2014 08:18:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC