W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Fate of Secure Origins in Question?

From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 6 Apr 2015 15:59:58 -0400
Message-ID: <CAH8yC8nYUr75Yp832TTUHyMNXZYFePS+=wTj=SvBT5==bNWGEQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Apr 6, 2015 at 3:34 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>The WebApp Sec group is creating policy and providing implementation
>> guidance based on a particular trust model that's not being followed.
>>How can the WebApp Sec group claim its not their problem when they are
>>predicating functionality like secure origins on it?
>
> All technology has dependencies and foundations.  The policy questions about
> acceptable business practices for binding a name to a key, making assertions
> about that in a certificate, and what audit and control procedures should
> govern that are at a different layer than WebAppSec operates at.
>
> Even if we wanted to talk about it, the people who actually manage these
> issues for browsers and operating systems are not paying attention here -
> they are participating at the CABF and the Mozilla policy list, and that's
> where you need to go to effect any changes.

Thanks Brad. /EOM for me.

If interested, you can follow the issue further at "GeoTrust and
Ubiquitous CA Public Root program,"
https://bugzilla.mozilla.org/show_bug.cgi?id=1151348.

Jeff
Received on Monday, 6 April 2015 20:00:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC