Re: ACTION-453: Initial draft of sec. cons. EV mixed with DV from Mary Ellen Zurko on 2008-06-06 (public-wsc-wg@w3.org from June 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 6 Jun 2008 13:26:04 -0400
To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <OF5D158BCD.8752CC13-ON85257460.005E8ED4-85257460.005FC53E@LocalDomain>
Here's a stab that might be more suitable for wsc-xit, based on Yngve's 
text, and the discussion in Oslo: 


The EV indicator tells the user that the owner and author of the webpage 
being displayed can be identified using information from the associated EV 
certificate. Identity signals in this specification only directly address 
displaying the identity of the party responsible for the top level 
resource in a web page. User agents may choose to make the identities of 
other resources that can affect or control the pages content, but we do 
not put forward a model for users on how they might use such information 
in their trust decisions. The identity of the top level resource vouches 
for the content of all dependant resources, which is why they must all be 
strongly TLS protected for the web page to display an AA  indicator. 

If a EV page includes content from other strongly TLS-protected resources 
that are not identified by EV certificates, the authors for these third 
party parts of the document cannot be identified to the same extent as for 
the main document. Given that certain types of content, for example 
external scripts and styling can change the containing document's entire 
appearance, and framed content and plugins can be where the user's main 
interaction occurs, the user's real interaction may be with content 
created by a completely different author than the one identified by the 
main document's EV certificate.

Using third party content also makes the main document reliant upon the 
security of the third party contributor, and expands the available attack 
surface of the service, thus giving attackers several more lines of 
attack.






From:
Johnathan Nightingale <johnath@mozilla.com>
To:
yngve@opera.com
Cc:
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Date:
06/02/2008 09:38 AM
Subject:
Re: ACTION-453: Initial draft of sec. cons. EV mixed with DV
Sent by:
public-wsc-wg-request@w3.org




I think this is reasonable text, but I wonder if it wouldn't be better 
in the "Advice to Site Authors" document, since site authors are the 
ones best placed to make decisions about which third parties they 
trust?  There it could also be a full on recommendation, even with 
SHOULD language, instead of just a security consideration in a 
document about browser authors.

Cheers,

Johnathan

On 31-May-08, at 3:29 PM, Yngve Nysaeter Pettersen wrote:

>
> First take (EV used instead of AA):
>
> ---------------------
>
> The EV indicator tells the user that the owner and author of the 
> webpage being displayed can be identified using information from the 
> associated EV certificate.
>
> If a EV page includes content from other strongly TLS-protected 
> resources that are not identified by EV certificates, the authors 
> for these third party parts of the document cannot be identified to 
> the same extent as for the main document.
>
> Given that certain types of content, for example external scripts 
> and styling can change the containing document's entire appearance, 
> and framed content and plugins can be where the user's main 
> interaction occurs, the user's real interaction may be with content 
> created by a completely different author than the one identified by 
> the main document's EV certificate.
>
> Such change in content origination will not be readily apparent to 
> the user, and main document authors should be cautious when using 
> third party content, and to the best of their ability verify the 
> identity of these contributors.
>
> Using third party content also makes the main document reliant upon 
> the security of the third party contributor, and expands the 
> available attack surface of the service, thus giving attackers 
> several more lines of attack.
>
> ---------------------
>
> -- 
> Sincerely,
> Yngve N. Pettersen
> ********************************************************************
> Senior Developer                                                Email: 
yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Friday, 6 June 2008 17:26:48 UTC