- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Mon, 15 Oct 2007 20:24:50 -0700
- To: "Luis Barriga" <luis.barriga@ericsson.com>, "Serge Egelman" <egelman@cs.cmu.edu>, "Johnathan Nightingale" <johnath@mozilla.com>
- Cc: "Ian Fette" <ifette@google.com>, "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
- Message-ID: <2788466ED3E31C418E9ACC5C31661557084EC3@mou1wnexmb09.vcorp.ad.vrsn.com>
It is NOT a CABForum issue at all. Consistency here could mean two things: 1) Consistency in the set of predetermined roots selected by the browser provider 2) The ability to select a set of roots and apply them consistently across a set of browsers The first seems to me to be a non starter. Besides anti-trust issues there are complex liability issues. Maintaining a list of trust roots for yourself is bad enough, doing so for others who you have no contractual relationship with is a remarkably bad idea. The second approach seems to me to be the one that is rather more interesting. I could support a Best Practice to allow browsers to be chained to a specified SCVP or XKMS service to enable this type of synchronization :-) ________________________________ From: public-wsc-wg-request@w3.org on behalf of Luis Barriga Sent: Mon 15/10/2007 4:57 PM To: Serge Egelman; Johnathan Nightingale Cc: Ian Fette; Web Security Context Working Group WG Subject: RE: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] Well, it certainly makes sense intuitively, but reality doesn't. There is a related issue that I also discovered: Yahoo mail service protects login pages with TLS, but the corresponding mobile version doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs. "mobile.yahoo.com >> mail" (on a smartphone). Thus we need another (obvious?) recommendation on TLS consistency across devices? It probably makes sense to group all these consistency across-devices recommendations. Luis -----Original Message----- From: public-wsc-wg-request@w3.org on behalf of Serge Egelman Sent: Mon 2007-10-15 22:06 To: Johnathan Nightingale Cc: Ian Fette; Web Security Context Working Group WG Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] We should just say that CABForum is responsible for this :) serge Johnathan Nightingale wrote: > Yeah, but even with trust anchors there are things like certs with > multiple signing chains which not all pki stacks can handle, and there > are also plausible policy-based differences, like a user agent that > decided to only accept roots from CAs that offer service guarantees on > their OCSP servers. > > Don't get me wrong, I totally support including this as a Best Practice, > it falls under "just makes sense" for me - but I'm also happy it's a > best practice, not mandatory, normative language, since that would > probably make compliance with the spec unrealistic for some authors. > > Cheers, > > J > > On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: > >> >> Uhhh, this is just about trust anchors (e.g. root certificates), not the >> other proposals. >> >> serge >> >> Ian Fette wrote: >>> Provided that it makes sense for the context. i.e. half of these >>> recommendations I think would be nightmarish on a mobile device if you >>> just take the desktop implementation and tried to use it with mobile. I >>> think consistency is good, but "making sense" on the native platform is >>> certainly going to have to be higher priority if we are to expect >>> adoption. >>> >>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >>> <mailto:egelman@cs.cmu.edu>> wrote: >>> >>> >>> I would certainly agree to this recommendation. >>> >>> serge >>> >>> Web Security Context Working Group Issue Tracker wrote: >>>> >>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >>> Devices? [Techniques] >>>> >>>> http://www.w3.org/2006/WSC/track/issues/ >>>> >>>> Raised by: Luis Barriga >>>> On product: Techniques >>>> >>>> At the f2f meeting I mentioned one of the findings on >>> smart-phones: the pre-provisioned trust anchors in smartphones are >>> disjoint from the ones in desktop browsers. The opposite is valid >>> too. >>>> >>>> As a result, users visiting the one site on a smartphone and on a >>> desktop browser will see TLS warnings that they has not seen >>> previously when visiting the same site. (Trust is temporary >>> unavailable) >>>> >>>> Shall we add a Deployment Best Practice 8.x section on "Trust >>> Anchor Consistency across devices" that basically recommends browser >>> vendors, phone manufacturers etc to have a consistent set of >>> pre-provisioned trust anchors? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> /* >>> Serge Egelman >>> >>> PhD Candidate >>> Vice President for External Affairs, Graduate Student Assembly >>> Carnegie Mellon University >>> >>> Legislative Concerns Chair >>> National Association of Graduate-Professional Students >>> */ >>> >>> >> >> --/* >> Serge Egelman >> >> PhD Candidate >> Vice President for External Affairs, Graduate Student Assembly >> Carnegie Mellon University >> >> Legislative Concerns Chair >> National Association of Graduate-Professional Students >> */ >> > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Tuesday, 16 October 2007 03:25:50 UTC