W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Ryan Sleevi <sleevi@google.com>
Date: Tue, 7 Jul 2015 00:57:31 -0700
Message-ID: <CACvaWvaCBOTT3bQ=u8KPv8BEKzzrdN_-UgHTRNmRFVF_BxePkg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>
On Mon, Jul 6, 2015 at 11:14 AM, Brian Smith <brian@briansmith.org> wrote:

> It depends on how things are specified, right? For example, the
> specification could be technically burdensome for Google, e.g. if it is
> required that the browser always attempt to try the cert chain that the
> server sent in the TLS handshake before concluding that the connection
> should be blocked due to SHA-1 deprecation. Without specifying such things,
> we can't really expect interoperability, but the better defined the
> mechanism is, the more likely there will be things that are technically
> and/or politically difficult for multiple implementations. Whether
> difficulty is political vs. technical also doesn't seem to matter much.

I think you've missed my point. This is very much a browser policy hook.
While flag days are good in theory, they suffer from the collective action
problem, and it's clear that different browsers have different priorities
and preferences with regards to how things change.

I don't think there is any traction for specifying what chain building
algorithm a browser should use - that's been beaten to death in IETF PKIX's
WG for over a decade, so I'm somewhat surprised to hear you suggest it
here, since the issues are well discussed (and, arguably, well documented -
RFC 4158 captures many of the different concerns)

I'm not trying to be dismisissive of your concern - but look at how we got
to MIX in the first place. It was only because browsers independently made
calculations about the compatibility risk / security risks and their target
user bases. As more progressive browsers worked through the first mover
problems (such as blocking mixed content XHRs and mixed content WSS), they
necessarily decreased the compatibility risks for more conservative
browsers, such that we're finally at a point in which the compatibility
risks are low and that normatively specifying these has a viable chance of
consensus. But it'd be mistaken to think "We're done here", and that's why
the policy escape hatch exists - a reflection of the fact that "While we
all agree on X, we also realize that Y may need tweaking over time".

Given that the preference is for the spec to reflect the implementation
reality versus the aspirational reality, I don't see how we can reasonably
put something forward that reflects the present reality without
acknowledging, implicitly, that there is more aspirationally.

> I think it's best to advance a MIX 1.0 that specifies what has been
> interoperably implemented, which is (only) the pre-connection blocking
> behavior. When the post-connection blocking behavior is more thoroughly
> specified, it might overwhelm the rest of MIX, so it might be better put in
> a separate document.

To the extent the current spec should reflect the reality, I agree.
However, I think it'd be mistaken to conflate interoperably implemented
with a desire to limit escape hatches.

Put differently, I'd much rather a 'map of the world' that covers the known
world, and then indicates 'here be dragons' in the unknown portions than a
map of the known world that claims to be a map of the /whole/ world.
Hopefully the semantic subtlety is clear.
Received on Tuesday, 7 July 2015 07:58:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC