- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 15 Oct 2007 16:06:59 -0400
- To: Johnathan Nightingale <johnath@mozilla.com>
- CC: Ian Fette <ifette@google.com>, Web Security Context Working Group WG <public-wsc-wg@w3.org>
We should just say that CABForum is responsible for this :) serge Johnathan Nightingale wrote: > Yeah, but even with trust anchors there are things like certs with > multiple signing chains which not all pki stacks can handle, and there > are also plausible policy-based differences, like a user agent that > decided to only accept roots from CAs that offer service guarantees on > their OCSP servers. > > Don't get me wrong, I totally support including this as a Best Practice, > it falls under "just makes sense" for me - but I'm also happy it's a > best practice, not mandatory, normative language, since that would > probably make compliance with the spec unrealistic for some authors. > > Cheers, > > J > > On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: > >> >> Uhhh, this is just about trust anchors (e.g. root certificates), not the >> other proposals. >> >> serge >> >> Ian Fette wrote: >>> Provided that it makes sense for the context. i.e. half of these >>> recommendations I think would be nightmarish on a mobile device if you >>> just take the desktop implementation and tried to use it with mobile. I >>> think consistency is good, but "making sense" on the native platform is >>> certainly going to have to be higher priority if we are to expect >>> adoption. >>> >>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >>> <mailto:egelman@cs.cmu.edu>> wrote: >>> >>> >>> I would certainly agree to this recommendation. >>> >>> serge >>> >>> Web Security Context Working Group Issue Tracker wrote: >>>> >>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >>> Devices? [Techniques] >>>> >>>> http://www.w3.org/2006/WSC/track/issues/ >>>> >>>> Raised by: Luis Barriga >>>> On product: Techniques >>>> >>>> At the f2f meeting I mentioned one of the findings on >>> smart-phones: the pre-provisioned trust anchors in smartphones are >>> disjoint from the ones in desktop browsers. The opposite is valid >>> too. >>>> >>>> As a result, users visiting the one site on a smartphone and on a >>> desktop browser will see TLS warnings that they has not seen >>> previously when visiting the same site. (Trust is temporary >>> unavailable) >>>> >>>> Shall we add a Deployment Best Practice 8.x section on "Trust >>> Anchor Consistency across devices" that basically recommends browser >>> vendors, phone manufacturers etc to have a consistent set of >>> pre-provisioned trust anchors? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> /* >>> Serge Egelman >>> >>> PhD Candidate >>> Vice President for External Affairs, Graduate Student Assembly >>> Carnegie Mellon University >>> >>> Legislative Concerns Chair >>> National Association of Graduate-Professional Students >>> */ >>> >>> >> >> --/* >> Serge Egelman >> >> PhD Candidate >> Vice President for External Affairs, Graduate Student Assembly >> Carnegie Mellon University >> >> Legislative Concerns Chair >> National Association of Graduate-Professional Students >> */ >> > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 15 October 2007 20:07:27 UTC