Re: ACTION-453: Initial draft of sec. cons. EV mixed with DV from Johnathan Nightingale on 2008-06-02 (public-wsc-wg@w3.org from June 2008)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Mon, 2 Jun 2008 09:31:43 -0400
To: yngve@opera.com
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-Id: <2382C7ED-C73C-4540-813A-DDE5ED5420C9@mozilla.com>

I think this is reasonable text, but I wonder if it wouldn't be better  
in the "Advice to Site Authors" document, since site authors are the  
ones best placed to make decisions about which third parties they  
trust?  There it could also be a full on recommendation, even with  
SHOULD language, instead of just a security consideration in a  
document about browser authors.

Cheers,

Johnathan

On 31-May-08, at 3:29 PM, Yngve Nysaeter Pettersen wrote:

>
> First take (EV used instead of AA):
>
> ---------------------
>
> The EV indicator tells the user that the owner and author of the  
> webpage being displayed can be identified using information from the  
> associated EV certificate.
>
> If a EV page includes content from other strongly TLS-protected  
> resources that are not identified by EV certificates, the authors  
> for these third party parts of the document cannot be identified to  
> the same extent as for the main document.
>
> Given that certain types of content, for example external scripts  
> and styling can change the containing document's entire appearance,  
> and framed content and plugins can be where the user's main  
> interaction occurs, the user's real interaction may be with content  
> created by a completely different author than the one identified by  
> the main document's EV certificate.
>
> Such change in content origination will not be readily apparent to  
> the user, and main document authors should be cautious when using  
> third party content, and to the best of their ability verify the  
> identity of these contributors.
>
> Using third party content also makes the main document reliant upon  
> the security of the third party contributor, and expands the  
> available attack surface of the service, thus giving attackers  
> several more lines of attack.
>
> ---------------------
>
> -- 
> Sincerely,
> Yngve N. Pettersen
> ********************************************************************
> Senior Developer		                 Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 2 June 2008 13:32:35 UTC