Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques]

Yeah, but even with trust anchors there are things like certs with  
multiple signing chains which not all pki stacks can handle, and  
there are also plausible policy-based differences, like a user agent  
that decided to only accept roots from CAs that offer service  
guarantees on their OCSP servers.

Don't get me wrong, I totally support including this as a Best  
Practice, it falls under "just makes sense" for me - but I'm also  
happy it's a best practice, not mandatory, normative language, since  
that would probably make compliance with the spec unrealistic for  
some authors.

Cheers,

J

On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:

>
> Uhhh, this is just about trust anchors (e.g. root certificates),  
> not the
> other proposals.
>
> serge
>
> Ian Fette wrote:
>> Provided that it makes sense for the context. i.e. half of these
>> recommendations I think would be nightmarish on a mobile device if  
>> you
>> just take the desktop implementation and tried to use it with  
>> mobile. I
>> think consistency is good, but "making sense" on the native  
>> platform is
>> certainly going to have to be higher priority if we are to expect  
>> adoption.
>>
>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
>> <mailto:egelman@cs.cmu.edu>> wrote:
>>
>>
>>     I would certainly agree to this recommendation.
>>
>>     serge
>>
>>     Web Security Context Working Group Issue Tracker wrote:
>>>
>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>     Devices? [Techniques]
>>>
>>> http://www.w3.org/2006/WSC/track/issues/
>>>
>>> Raised by: Luis Barriga
>>> On product: Techniques
>>>
>>> At the f2f meeting I mentioned one of the findings on
>>     smart-phones: the pre-provisioned trust anchors in smartphones  
>> are
>>     disjoint from the ones in desktop browsers. The opposite is  
>> valid too.
>>>
>>> As a result, users visiting the one site on a smartphone and on a
>>     desktop browser will see TLS warnings that they has not seen
>>     previously when visiting the same site. (Trust is temporary  
>> unavailable)
>>>
>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>     Anchor Consistency across devices" that basically recommends  
>> browser
>>     vendors, phone manufacturers etc to have a consistent set of
>>     pre-provisioned trust anchors?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>     --
>>     /*
>>     Serge Egelman
>>
>>     PhD Candidate
>>     Vice President for External Affairs, Graduate Student Assembly
>>     Carnegie Mellon University
>>
>>     Legislative Concerns Chair
>>     National Association of Graduate-Professional Students
>>     */
>>
>>
>
> -- 
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 15 October 2007 20:00:41 UTC