- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 26 Oct 2007 18:13:35 -0400
- To: "Serge Egelman <egelman" <egelman@cs.cmu.edu>
- Cc: Web Security Context Working Group WG <public-wsc-wg@w3.org>
- Message-ID: <OF86B92F14.4CC584B7-ON85257380.007A0A54-85257380.007A17E9@LocalDomain>
I'd be pretty dang surprised if Notes charged for including trust roots.
Mez
From:
Serge Egelman <egelman@cs.cmu.edu>
To:
Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc:
Luis Barriga <luis.barriga@ericsson.com>, Johnathan Nightingale
<johnath@mozilla.com>, Ian Fette <ifette@google.com>, Web Security Context
Working Group WG <public-wsc-wg@w3.org>
Date:
10/15/2007 06:08 PM
Subject:
Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices?
[Techniques]
Hmm, I spoke with someone from MS who insisted they do not charge to
include certs in IE. I'm still skeptical.
serge
Stephen Farrell wrote:
>
> Well, we may need to be careful - people have paid large piles
> of money to get roots included (unless sanity's gotten
> contagious since I last looked, which'd be nice).
>
> Could be all sorts of problems with trying to unify that list
> across browsers, or with asking one private-members club to
> maintain the list, much as it seems to make sense.
>
> If a trust anchor management protocol does come into being,
> that'd provide a more broadly applicable answer.
>
> I think the idea of commensurate security across different
> devices for the same service, really does make a lot of sense.
> (Good catch.)
>
> S.
>
> Serge Egelman wrote:
>> Yeah, I agree completely. I guess what I meant was, when determining
>> which trust anchors to use in a given browser, we should recommend that
>> CABForum maintains this set of certificates. But that'll just be one
of
>> many recommendations in this area. Obviously using the same
certificate
>> on the same website across different platforms would be another one.
>>
>> serge
>>
>> Luis Barriga wrote:
>>> Well, it certainly makes sense intuitively, but reality doesn't.
>>>
>>> There is a related issue that I also discovered: Yahoo mail service
>>> protects login pages with TLS, but the corresponding mobile version
>>> doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs.
>>> "mobile.yahoo.com >> mail" (on a smartphone).
>>>
>>> Thus we need another (obvious?) recommendation on TLS consistency
>>> across devices?
>>>
>>> It probably makes sense to group all these consistency across-devices
>>> recommendations.
>>>
>>> Luis
>>>
>>> -----Original Message-----
>>> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
>>> Sent: Mon 2007-10-15 22:06
>>> To: Johnathan Nightingale
>>> Cc: Ian Fette; Web Security Context Working Group WG
>>> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency
>>> Across Devices? [Techniques]
>>>
>>>
>>> We should just say that CABForum is responsible for this :)
>>>
>>> serge
>>>
>>> Johnathan Nightingale wrote:
>>>> Yeah, but even with trust anchors there are things like certs with
>>>> multiple signing chains which not all pki stacks can handle, and
there
>>>> are also plausible policy-based differences, like a user agent that
>>>> decided to only accept roots from CAs that offer service guarantees
on
>>>> their OCSP servers.
>>>>
>>>> Don't get me wrong, I totally support including this as a Best
>>>> Practice,
>>>> it falls under "just makes sense" for me - but I'm also happy it's a
>>>> best practice, not mandatory, normative language, since that would
>>>> probably make compliance with the spec unrealistic for some authors.
>>>>
>>>> Cheers,
>>>>
>>>> J
>>>>
>>>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
>>>>
>>>>> Uhhh, this is just about trust anchors (e.g. root certificates),
>>>>> not the
>>>>> other proposals.
>>>>>
>>>>> serge
>>>>>
>>>>> Ian Fette wrote:
>>>>>> Provided that it makes sense for the context. i.e. half of these
>>>>>> recommendations I think would be nightmarish on a mobile device if
>>>>>> you
>>>>>> just take the desktop implementation and tried to use it with
>>>>>> mobile. I
>>>>>> think consistency is good, but "making sense" on the native
>>>>>> platform is
>>>>>> certainly going to have to be higher priority if we are to expect
>>>>>> adoption.
>>>>>>
>>>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
>>>>>> <mailto:egelman@cs.cmu.edu>> wrote:
>>>>>>
>>>>>>
>>>>>> I would certainly agree to this recommendation.
>>>>>>
>>>>>> serge
>>>>>>
>>>>>> Web Security Context Working Group Issue Tracker wrote:
>>>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>>>>> Devices? [Techniques]
>>>>>>> http://www.w3.org/2006/WSC/track/issues/
>>>>>>>
>>>>>>> Raised by: Luis Barriga
>>>>>>> On product: Techniques
>>>>>>>
>>>>>>> At the f2f meeting I mentioned one of the findings on
>>>>>> smart-phones: the pre-provisioned trust anchors in smartphones
>>>>>> are
>>>>>> disjoint from the ones in desktop browsers. The opposite is
valid
>>>>>> too.
>>>>>>> As a result, users visiting the one site on a smartphone and on a
>>>>>> desktop browser will see TLS warnings that they has not seen
>>>>>> previously when visiting the same site. (Trust is temporary
>>>>>> unavailable)
>>>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>>>>> Anchor Consistency across devices" that basically recommends
>>>>>> browser
>>>>>> vendors, phone manufacturers etc to have a consistent set of
>>>>>> pre-provisioned trust anchors?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> /*
>>>>>> Serge Egelman
>>>>>>
>>>>>> PhD Candidate
>>>>>> Vice President for External Affairs, Graduate Student Assembly
>>>>>> Carnegie Mellon University
>>>>>>
>>>>>> Legislative Concerns Chair
>>>>>> National Association of Graduate-Professional Students
>>>>>> */
>>>>>>
>>>>>>
>>>>> --/*
>>>>> Serge Egelman
>>>>>
>>>>> PhD Candidate
>>>>> Vice President for External Affairs, Graduate Student Assembly
>>>>> Carnegie Mellon University
>>>>>
>>>>> Legislative Concerns Chair
>>>>> National Association of Graduate-Professional Students
>>>>> */
>>>>>
>>>> ---
>>>> Johnathan Nightingale
>>>> Human Shield
>>>> johnath@mozilla.com
>>>>
>>>>
>>>>
>>
--
/*
Serge Egelman
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University
Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Friday, 26 October 2007 22:13:57 UTC