- From: Luis Barriga <luis.barriga@ericsson.com>
- Date: Tue, 16 Oct 2007 14:57:24 +0200
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Serge Egelman" <egelman@cs.cmu.edu>, "Johnathan Nightingale" <johnath@mozilla.com>, "Ian Fette" <ifette@google.com>
- Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
I see short-, medium- and long-term recommendations to achieve overall trust and security consistency across devices involving warnings, TLS and anchors. Short-term: there is a need to identify those use cases (if any) where warnings are obviously not needed at all. The UA can then *reduce* their amount. (*eliminating* them with current infras and practices is not feasible) For example, if I start at a login site with self-signed cert (SSC) or a Unknown Trust Anchor (UTA), and I accept the very first *active* warning, why should I keep getting the warning again for each redirection that doesn't change the security level (except for the same SSC or UTA). Does anyone see an attack vector here? Medium-term recs include those targetted to web site authoring and deployment folks so that they enforce TLS consistency across devices. (see Yahoo use case below) Long-term recs are having some common common Trust-Anchors and/or a (IETF) protocol. Luis -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Stephen Farrell Sent: den 15 oktober 2007 23:47 To: Luis Barriga Cc: Serge Egelman; Johnathan Nightingale; Ian Fette; Web Security Context Working Group WG Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] Well, we may need to be careful - people have paid large piles of money to get roots included (unless sanity's gotten contagious since I last looked, which'd be nice). Could be all sorts of problems with trying to unify that list across browsers, or with asking one private-members club to maintain the list, much as it seems to make sense. If a trust anchor management protocol does come into being, that'd provide a more broadly applicable answer. I think the idea of commensurate security across different devices for the same service, really does make a lot of sense. (Good catch.) S. Serge Egelman wrote: > Yeah, I agree completely. I guess what I meant was, when determining > which trust anchors to use in a given browser, we should recommend > that CABForum maintains this set of certificates. But that'll just be > one of many recommendations in this area. Obviously using the same > certificate on the same website across different platforms would be another one. > > serge > > Luis Barriga wrote: >> Well, it certainly makes sense intuitively, but reality doesn't. >> >> There is a related issue that I also discovered: Yahoo mail service protects login pages with TLS, but the corresponding mobile version doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs. "mobile.yahoo.com >> mail" (on a smartphone). >> >> Thus we need another (obvious?) recommendation on TLS consistency across devices? >> >> It probably makes sense to group all these consistency across-devices recommendations. >> >> Luis >> >> -----Original Message----- >> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman >> Sent: Mon 2007-10-15 22:06 >> To: Johnathan Nightingale >> Cc: Ian Fette; Web Security Context Working Group WG >> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] >> >> >> We should just say that CABForum is responsible for this :) >> >> serge >> >> Johnathan Nightingale wrote: >>> Yeah, but even with trust anchors there are things like certs with >>> multiple signing chains which not all pki stacks can handle, and >>> there are also plausible policy-based differences, like a user agent >>> that decided to only accept roots from CAs that offer service >>> guarantees on their OCSP servers. >>> >>> Don't get me wrong, I totally support including this as a Best >>> Practice, it falls under "just makes sense" for me - but I'm also >>> happy it's a best practice, not mandatory, normative language, since >>> that would probably make compliance with the spec unrealistic for some authors. >>> >>> Cheers, >>> >>> J >>> >>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: >>> >>>> Uhhh, this is just about trust anchors (e.g. root certificates), >>>> not the other proposals. >>>> >>>> serge >>>> >>>> Ian Fette wrote: >>>>> Provided that it makes sense for the context. i.e. half of these >>>>> recommendations I think would be nightmarish on a mobile device if >>>>> you just take the desktop implementation and tried to use it with >>>>> mobile. I think consistency is good, but "making sense" on the >>>>> native platform is certainly going to have to be higher priority >>>>> if we are to expect adoption. >>>>> >>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >>>>> <mailto:egelman@cs.cmu.edu>> wrote: >>>>> >>>>> >>>>> I would certainly agree to this recommendation. >>>>> >>>>> serge >>>>> >>>>> Web Security Context Working Group Issue Tracker wrote: >>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >>>>> Devices? [Techniques] >>>>>> http://www.w3.org/2006/WSC/track/issues/ >>>>>> >>>>>> Raised by: Luis Barriga >>>>>> On product: Techniques >>>>>> >>>>>> At the f2f meeting I mentioned one of the findings on >>>>> smart-phones: the pre-provisioned trust anchors in smartphones are >>>>> disjoint from the ones in desktop browsers. The opposite is >>>>> valid too. >>>>>> As a result, users visiting the one site on a smartphone and on a >>>>> desktop browser will see TLS warnings that they has not seen >>>>> previously when visiting the same site. (Trust is temporary >>>>> unavailable) >>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust >>>>> Anchor Consistency across devices" that basically recommends browser >>>>> vendors, phone manufacturers etc to have a consistent set of >>>>> pre-provisioned trust anchors? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> /* >>>>> Serge Egelman >>>>> >>>>> PhD Candidate >>>>> Vice President for External Affairs, Graduate Student Assembly >>>>> Carnegie Mellon University >>>>> >>>>> Legislative Concerns Chair >>>>> National Association of Graduate-Professional Students >>>>> */ >>>>> >>>>> >>>> --/* >>>> Serge Egelman >>>> >>>> PhD Candidate >>>> Vice President for External Affairs, Graduate Student Assembly >>>> Carnegie Mellon University >>>> >>>> Legislative Concerns Chair >>>> National Association of Graduate-Professional Students */ >>>> >>> --- >>> Johnathan Nightingale >>> Human Shield >>> johnath@mozilla.com >>> >>> >>> >
Received on Tuesday, 16 October 2007 12:57:35 UTC