- From: <michael.mccormick@wellsfargo.com>
- Date: Thu, 20 Sep 2007 17:23:56 -0500
- To: <johnath@mozilla.com>, <dan.schutzer@fstc.org>
- Cc: <public-wsc-wg@w3.org>
First of all, I feel SBM should be SSL-only (only https allowed, possible exception for certain MIMEs like GIF) so to me always requiring a TLS handshake isn't a problem. I agree a EV cert by itself provides little or no assurance of trustworthiness or safety, but I didn't think SBM was proposing to use vanilla EV. My understanding was that EV communities would be formed and managed by a central authority that imposes additional controls on issuing CAs. For example, a banking community could be managed by an association such as the ABA, and ABA would require all participating issuers to meet (and impose) certain criteria that go above & beyond what CAB Forum mandates. In that scenario, possession of a EV SSL cert with the ABA community logo seems to me equivalent in every meaningful way to having one's URL on a ABA managed white list... without all the well-known inherent disadvantages of white listing (not scalable, not real-time, not secure, etc.) Mike -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Johnathan Nightingale Sent: Wednesday, September 19, 2007 4:54 PM To: Web Security Context Working Group WG Subject: Re: ISSUE-108: Should Safe Browsing mode restrict users to a specific set of sites? [Techniques] Using EV certs as the stand-in for a whitelist seems wrong, to me. EV certs make strong identity claims, but not trustworthiness or safety claims, which I think SBM envisions. EV certs in combination with a whitelist seem like a more natural fit, if we're going to recommend this at all. I think the argument has been advanced that we could use the community logotype field of an EV cert as a proxy for the whitelist, basically that having (say) the FSTC logo in there acts as de facto whitelist membership. One downside I see there is that it still requires the SSL handshake to take place (in order to acquire the certificate for inspection) which exposes some, albeit limited, attack surface. In an EV+Whitelist world, that initial connection wouldn't occur because the "Your accounts are being closed" email link would presumably point to some non-whitelisted domain, and the connection would not be built in the first place. I've said in the past that I don't think the maintenance and generation of these lists can be accurately foreseen, and hence that I don't think it's really the right kind of thing for our group to mandate, since that compels us to declare "non-conforming" any browser that doesn't think the lists are mature enough. Nevertheless, if we *are* to make such a recommendation, it feels like EVs shouldn't be used as a surrogate for "trustworthiness" determinations. Cheers, Johnathan On 18-Sep-07, at 8:59 AM, Web Security Context Working Group Issue Tracker wrote: > > ISSUE-108: Should Safe Browsing mode restrict users to a specific > set of sites? [Techniques] > > http://www.w3.org/2006/WSC/track/issues/ > > Raised by: Thomas Roessler > On product: Techniques > > In the current draft: > > Editor's Draft $Date: 2007/09/18 12:50:20 $ > > safe browsing mode includes a requirement that Web user agents only > be able to access EV (or EV-like) sites when in Safe Browsing > Mode. From discussions, this is one possible approach; the aim > seems to be to have some whitelist of truted sites that can be > accessed in this mode. > > Questions: > > - Should such a whitelist exist at all? > - If it exists, are EV certificates the right criterion? > > > > > > --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Thursday, 20 September 2007 22:24:55 UTC