- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 15 Oct 2007 18:04:19 -0400
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- CC: Luis Barriga <luis.barriga@ericsson.com>, Johnathan Nightingale <johnath@mozilla.com>, Ian Fette <ifette@google.com>, Web Security Context Working Group WG <public-wsc-wg@w3.org>
Hmm, I spoke with someone from MS who insisted they do not charge to include certs in IE. I'm still skeptical. serge Stephen Farrell wrote: > > Well, we may need to be careful - people have paid large piles > of money to get roots included (unless sanity's gotten > contagious since I last looked, which'd be nice). > > Could be all sorts of problems with trying to unify that list > across browsers, or with asking one private-members club to > maintain the list, much as it seems to make sense. > > If a trust anchor management protocol does come into being, > that'd provide a more broadly applicable answer. > > I think the idea of commensurate security across different > devices for the same service, really does make a lot of sense. > (Good catch.) > > S. > > Serge Egelman wrote: >> Yeah, I agree completely. I guess what I meant was, when determining >> which trust anchors to use in a given browser, we should recommend that >> CABForum maintains this set of certificates. But that'll just be one of >> many recommendations in this area. Obviously using the same certificate >> on the same website across different platforms would be another one. >> >> serge >> >> Luis Barriga wrote: >>> Well, it certainly makes sense intuitively, but reality doesn't. >>> >>> There is a related issue that I also discovered: Yahoo mail service >>> protects login pages with TLS, but the corresponding mobile version >>> doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs. >>> "mobile.yahoo.com >> mail" (on a smartphone). >>> >>> Thus we need another (obvious?) recommendation on TLS consistency >>> across devices? >>> >>> It probably makes sense to group all these consistency across-devices >>> recommendations. >>> >>> Luis >>> >>> -----Original Message----- >>> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman >>> Sent: Mon 2007-10-15 22:06 >>> To: Johnathan Nightingale >>> Cc: Ian Fette; Web Security Context Working Group WG >>> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency >>> Across Devices? [Techniques] >>> >>> >>> We should just say that CABForum is responsible for this :) >>> >>> serge >>> >>> Johnathan Nightingale wrote: >>>> Yeah, but even with trust anchors there are things like certs with >>>> multiple signing chains which not all pki stacks can handle, and there >>>> are also plausible policy-based differences, like a user agent that >>>> decided to only accept roots from CAs that offer service guarantees on >>>> their OCSP servers. >>>> >>>> Don't get me wrong, I totally support including this as a Best >>>> Practice, >>>> it falls under "just makes sense" for me - but I'm also happy it's a >>>> best practice, not mandatory, normative language, since that would >>>> probably make compliance with the spec unrealistic for some authors. >>>> >>>> Cheers, >>>> >>>> J >>>> >>>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: >>>> >>>>> Uhhh, this is just about trust anchors (e.g. root certificates), >>>>> not the >>>>> other proposals. >>>>> >>>>> serge >>>>> >>>>> Ian Fette wrote: >>>>>> Provided that it makes sense for the context. i.e. half of these >>>>>> recommendations I think would be nightmarish on a mobile device if >>>>>> you >>>>>> just take the desktop implementation and tried to use it with >>>>>> mobile. I >>>>>> think consistency is good, but "making sense" on the native >>>>>> platform is >>>>>> certainly going to have to be higher priority if we are to expect >>>>>> adoption. >>>>>> >>>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >>>>>> <mailto:egelman@cs.cmu.edu>> wrote: >>>>>> >>>>>> >>>>>> I would certainly agree to this recommendation. >>>>>> >>>>>> serge >>>>>> >>>>>> Web Security Context Working Group Issue Tracker wrote: >>>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >>>>>> Devices? [Techniques] >>>>>>> http://www.w3.org/2006/WSC/track/issues/ >>>>>>> >>>>>>> Raised by: Luis Barriga >>>>>>> On product: Techniques >>>>>>> >>>>>>> At the f2f meeting I mentioned one of the findings on >>>>>> smart-phones: the pre-provisioned trust anchors in smartphones >>>>>> are >>>>>> disjoint from the ones in desktop browsers. The opposite is valid >>>>>> too. >>>>>>> As a result, users visiting the one site on a smartphone and on a >>>>>> desktop browser will see TLS warnings that they has not seen >>>>>> previously when visiting the same site. (Trust is temporary >>>>>> unavailable) >>>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust >>>>>> Anchor Consistency across devices" that basically recommends >>>>>> browser >>>>>> vendors, phone manufacturers etc to have a consistent set of >>>>>> pre-provisioned trust anchors? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> -- >>>>>> /* >>>>>> Serge Egelman >>>>>> >>>>>> PhD Candidate >>>>>> Vice President for External Affairs, Graduate Student Assembly >>>>>> Carnegie Mellon University >>>>>> >>>>>> Legislative Concerns Chair >>>>>> National Association of Graduate-Professional Students >>>>>> */ >>>>>> >>>>>> >>>>> --/* >>>>> Serge Egelman >>>>> >>>>> PhD Candidate >>>>> Vice President for External Affairs, Graduate Student Assembly >>>>> Carnegie Mellon University >>>>> >>>>> Legislative Concerns Chair >>>>> National Association of Graduate-Professional Students >>>>> */ >>>>> >>>> --- >>>> Johnathan Nightingale >>>> Human Shield >>>> johnath@mozilla.com >>>> >>>> >>>> >> -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 15 October 2007 22:05:09 UTC