RE: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques]

Well, it certainly makes sense intuitively, but reality doesn't.

There is a related issue that I also discovered: Yahoo mail service protects login pages with TLS, but the corresponding mobile version doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs. "mobile.yahoo.com >> mail" (on a smartphone).

Thus we need another (obvious?) recommendation on TLS consistency across devices?

It probably makes sense to group all these consistency across-devices recommendations.

Luis

-----Original Message-----
From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
Sent: Mon 2007-10-15 22:06
To: Johnathan Nightingale
Cc: Ian Fette; Web Security Context Working Group WG
Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices?   [Techniques]
 

We should just say that CABForum is responsible for this :)

serge

Johnathan Nightingale wrote:
> Yeah, but even with trust anchors there are things like certs with
> multiple signing chains which not all pki stacks can handle, and there
> are also plausible policy-based differences, like a user agent that
> decided to only accept roots from CAs that offer service guarantees on
> their OCSP servers.
> 
> Don't get me wrong, I totally support including this as a Best Practice,
> it falls under "just makes sense" for me - but I'm also happy it's a
> best practice, not mandatory, normative language, since that would
> probably make compliance with the spec unrealistic for some authors.
> 
> Cheers,
> 
> J
> 
> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
> 
>>
>> Uhhh, this is just about trust anchors (e.g. root certificates), not the
>> other proposals.
>>
>> serge
>>
>> Ian Fette wrote:
>>> Provided that it makes sense for the context. i.e. half of these
>>> recommendations I think would be nightmarish on a mobile device if you
>>> just take the desktop implementation and tried to use it with mobile. I
>>> think consistency is good, but "making sense" on the native platform is
>>> certainly going to have to be higher priority if we are to expect
>>> adoption.
>>>
>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
>>> <mailto:egelman@cs.cmu.edu>> wrote:
>>>
>>>
>>>     I would certainly agree to this recommendation.
>>>
>>>     serge
>>>
>>>     Web Security Context Working Group Issue Tracker wrote:
>>>>
>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>>     Devices? [Techniques]
>>>>
>>>> http://www.w3.org/2006/WSC/track/issues/
>>>>
>>>> Raised by: Luis Barriga
>>>> On product: Techniques
>>>>
>>>> At the f2f meeting I mentioned one of the findings on
>>>     smart-phones: the pre-provisioned trust anchors in smartphones are
>>>     disjoint from the ones in desktop browsers. The opposite is valid
>>> too.
>>>>
>>>> As a result, users visiting the one site on a smartphone and on a
>>>     desktop browser will see TLS warnings that they has not seen
>>>     previously when visiting the same site. (Trust is temporary
>>> unavailable)
>>>>
>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>>     Anchor Consistency across devices" that basically recommends browser
>>>     vendors, phone manufacturers etc to have a consistent set of
>>>     pre-provisioned trust anchors?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>     --
>>>     /*
>>>     Serge Egelman
>>>
>>>     PhD Candidate
>>>     Vice President for External Affairs, Graduate Student Assembly
>>>     Carnegie Mellon University
>>>
>>>     Legislative Concerns Chair
>>>     National Association of Graduate-Professional Students
>>>     */
>>>
>>>
>>
>> --/*
>> Serge Egelman
>>
>> PhD Candidate
>> Vice President for External Affairs, Graduate Student Assembly
>> Carnegie Mellon University
>>
>> Legislative Concerns Chair
>> National Association of Graduate-Professional Students
>> */
>>
> 
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
> 
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 15 October 2007 21:00:50 UTC