RE: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] from Mary Ellen Zurko on 2007-10-26 (public-wsc-wg@w3.org from October 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 26 Oct 2007 18:19:12 -0400
To: luis.barriga@ericsson.com
Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <OF64A0C001.6F16FD01-ON85257380.007A6AF5-85257380.007A9BBF@LocalDomain>
A good number of people see us doing something useful as part of this 
issue. I'd like to put it on the agenda on Wed. Folks who think we can 
should draft a straw proposal of the sort of text they'd like to see 
before then, and send it out as part of this thread. Thanks. 

          Mez





From:
"Luis Barriga" <luis.barriga@ericsson.com>
To:
"Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Serge Egelman" 
<egelman@cs.cmu.edu>, "Johnathan Nightingale" <johnath@mozilla.com>, "Ian 
Fette" <ifette@google.com>
Cc:
"Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Date:
10/16/2007 09:00 AM
Subject:
RE: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices?  
[Techniques]




I see short-, medium- and long-term recommendations to achieve overall
trust and security consistency across devices involving warnings, TLS
and anchors.

Short-term: there is a need to identify those use cases (if any) where
warnings are obviously not needed at all. The UA can then *reduce* their
amount. (*eliminating* them with current infras and practices is not
feasible)

For example, if I start at a login site with self-signed cert (SSC) or a
Unknown Trust Anchor (UTA), and I accept the very first *active*
warning, why should I keep getting the warning again for each
redirection that doesn't change the security level (except for the same
SSC or UTA). Does anyone see an attack vector here?

Medium-term recs include those targetted to web site authoring and
deployment folks so that they enforce TLS consistency across devices.
(see Yahoo use case below)

Long-term recs are having some common common Trust-Anchors and/or a
(IETF) protocol.

Luis 

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Stephen Farrell
Sent: den 15 oktober 2007 23:47
To: Luis Barriga
Cc: Serge Egelman; Johnathan Nightingale; Ian Fette; Web Security
Context Working Group WG
Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
Devices? [Techniques]



Well, we may need to be careful - people have paid large piles of money
to get roots included (unless sanity's gotten contagious since I last
looked, which'd be nice).

Could be all sorts of problems with trying to unify that list across
browsers, or with asking one private-members club to maintain the list,
much as it seems to make sense.

If a trust anchor management protocol does come into being, that'd
provide a more broadly applicable answer.

I think the idea of commensurate security across different devices for
the same service, really does make a lot of sense.
(Good catch.)

S.

Serge Egelman wrote:
> Yeah, I agree completely.  I guess what I meant was, when determining 
> which trust anchors to use in a given browser, we should recommend 
> that CABForum maintains this set of certificates.  But that'll just be

> one of many recommendations in this area.  Obviously using the same 
> certificate on the same website across different platforms would be
another one.
> 
> serge
> 
> Luis Barriga wrote:
>> Well, it certainly makes sense intuitively, but reality doesn't.
>>
>> There is a related issue that I also discovered: Yahoo mail service
protects login pages with TLS, but the corresponding mobile version
doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs.
"mobile.yahoo.com >> mail" (on a smartphone).
>>
>> Thus we need another (obvious?) recommendation on TLS consistency
across devices?
>>
>> It probably makes sense to group all these consistency across-devices
recommendations.
>>
>> Luis
>>
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
>> Sent: Mon 2007-10-15 22:06
>> To: Johnathan Nightingale
>> Cc: Ian Fette; Web Security Context Working Group WG
>> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency
Across Devices?   [Techniques]
>> 
>>
>> We should just say that CABForum is responsible for this :)
>>
>> serge
>>
>> Johnathan Nightingale wrote:
>>> Yeah, but even with trust anchors there are things like certs with 
>>> multiple signing chains which not all pki stacks can handle, and 
>>> there are also plausible policy-based differences, like a user agent

>>> that decided to only accept roots from CAs that offer service 
>>> guarantees on their OCSP servers.
>>>
>>> Don't get me wrong, I totally support including this as a Best 
>>> Practice, it falls under "just makes sense" for me - but I'm also 
>>> happy it's a best practice, not mandatory, normative language, since

>>> that would probably make compliance with the spec unrealistic for
some authors.
>>>
>>> Cheers,
>>>
>>> J
>>>
>>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
>>>
>>>> Uhhh, this is just about trust anchors (e.g. root certificates), 
>>>> not the other proposals.
>>>>
>>>> serge
>>>>
>>>> Ian Fette wrote:
>>>>> Provided that it makes sense for the context. i.e. half of these 
>>>>> recommendations I think would be nightmarish on a mobile device if

>>>>> you just take the desktop implementation and tried to use it with 
>>>>> mobile. I think consistency is good, but "making sense" on the 
>>>>> native platform is certainly going to have to be higher priority 
>>>>> if we are to expect adoption.
>>>>>
>>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu 
>>>>> <mailto:egelman@cs.cmu.edu>> wrote:
>>>>>
>>>>>
>>>>>     I would certainly agree to this recommendation.
>>>>>
>>>>>     serge
>>>>>
>>>>>     Web Security Context Working Group Issue Tracker wrote:
>>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>>>>     Devices? [Techniques]
>>>>>> http://www.w3.org/2006/WSC/track/issues/
>>>>>>
>>>>>> Raised by: Luis Barriga
>>>>>> On product: Techniques
>>>>>>
>>>>>> At the f2f meeting I mentioned one of the findings on
>>>>>     smart-phones: the pre-provisioned trust anchors in smartphones
are
>>>>>     disjoint from the ones in desktop browsers. The opposite is 
>>>>> valid too.
>>>>>> As a result, users visiting the one site on a smartphone and on a
>>>>>     desktop browser will see TLS warnings that they has not seen
>>>>>     previously when visiting the same site. (Trust is temporary
>>>>> unavailable)
>>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>>>>     Anchor Consistency across devices" that basically recommends
browser
>>>>>     vendors, phone manufacturers etc to have a consistent set of
>>>>>     pre-provisioned trust anchors?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>     --
>>>>>     /*
>>>>>     Serge Egelman
>>>>>
>>>>>     PhD Candidate
>>>>>     Vice President for External Affairs, Graduate Student Assembly
>>>>>     Carnegie Mellon University
>>>>>
>>>>>     Legislative Concerns Chair
>>>>>     National Association of Graduate-Professional Students
>>>>>     */
>>>>>
>>>>>
>>>> --/*
>>>> Serge Egelman
>>>>
>>>> PhD Candidate
>>>> Vice President for External Affairs, Graduate Student Assembly 
>>>> Carnegie Mellon University
>>>>
>>>> Legislative Concerns Chair
>>>> National Association of Graduate-Professional Students */
>>>>
>>> ---
>>> Johnathan Nightingale
>>> Human Shield
>>> johnath@mozilla.com
>>>
>>>
>>>
>
Received on Friday, 26 October 2007 22:19:42 UTC