W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Mike West <mkwst@google.com>
Date: Thu, 23 Oct 2014 15:58:38 +0200
Message-ID: <CAKXHy=fQtpagyFT_yyVZRmEWzG74qaWe7n34W28tw3tbUHA0EQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 3:55 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Oct 23, 2014 at 3:41 PM, Mike West <mkwst@google.com> wrote:
> > Chrome will need to implement something in Q1 as part of the SHA-1
> > deprecation, as outlined here:
> >
> http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html
> .
>
> That talks about UI. It doesn't say that this will affect an origin's
> ability to use crypto (for instance).
>

As of Chrome 41: "Sites with end-entity certificates that expire on or
after 1 January 2017, and which include a SHA-1-based signature as part of
the certificate chain, will be treated as “affirmatively insecure”.
Subresources from such domain will be treated as “active mixed content”. "


> Anyway, if we need something like this I would a) kind of like to
> migrate/alias document's origin and a worker's origin to/on an
> environment settings object. Then I'd also like it that when an
> environment settings object is created we put additional data about
> unauthenticated, weakly authenticated, vs authenticated on it.
>

Sure, that makes sense.

And then instead of an origin check I guess I would expect an "is
> authenticated environment settings object" check. (It can remain an
> origin check I suppose if we stick the additional fields on an origin
> so it becomes more than just a tuple.)
>

Origins should probably stay simple.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 23 October 2014 13:59:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC