- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 6 Jun 2008 13:26:04 -0400
- To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
- Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
- Message-ID: <OF5D158BCD.8752CC13-ON85257460.005E8ED4-85257460.005FC53E@LocalDomain>
Here's a stab that might be more suitable for wsc-xit, based on Yngve's text, and the discussion in Oslo: The EV indicator tells the user that the owner and author of the webpage being displayed can be identified using information from the associated EV certificate. Identity signals in this specification only directly address displaying the identity of the party responsible for the top level resource in a web page. User agents may choose to make the identities of other resources that can affect or control the pages content, but we do not put forward a model for users on how they might use such information in their trust decisions. The identity of the top level resource vouches for the content of all dependant resources, which is why they must all be strongly TLS protected for the web page to display an AA indicator. If a EV page includes content from other strongly TLS-protected resources that are not identified by EV certificates, the authors for these third party parts of the document cannot be identified to the same extent as for the main document. Given that certain types of content, for example external scripts and styling can change the containing document's entire appearance, and framed content and plugins can be where the user's main interaction occurs, the user's real interaction may be with content created by a completely different author than the one identified by the main document's EV certificate. Using third party content also makes the main document reliant upon the security of the third party contributor, and expands the available attack surface of the service, thus giving attackers several more lines of attack. From: Johnathan Nightingale <johnath@mozilla.com> To: yngve@opera.com Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org> Date: 06/02/2008 09:38 AM Subject: Re: ACTION-453: Initial draft of sec. cons. EV mixed with DV Sent by: public-wsc-wg-request@w3.org I think this is reasonable text, but I wonder if it wouldn't be better in the "Advice to Site Authors" document, since site authors are the ones best placed to make decisions about which third parties they trust? There it could also be a full on recommendation, even with SHOULD language, instead of just a security consideration in a document about browser authors. Cheers, Johnathan On 31-May-08, at 3:29 PM, Yngve Nysaeter Pettersen wrote: > > First take (EV used instead of AA): > > --------------------- > > The EV indicator tells the user that the owner and author of the > webpage being displayed can be identified using information from the > associated EV certificate. > > If a EV page includes content from other strongly TLS-protected > resources that are not identified by EV certificates, the authors > for these third party parts of the document cannot be identified to > the same extent as for the main document. > > Given that certain types of content, for example external scripts > and styling can change the containing document's entire appearance, > and framed content and plugins can be where the user's main > interaction occurs, the user's real interaction may be with content > created by a completely different author than the one identified by > the main document's EV certificate. > > Such change in content origination will not be readily apparent to > the user, and main document authors should be cautious when using > third party content, and to the best of their ability verify the > identity of these contributors. > > Using third party content also makes the main document reliant upon > the security of the third party contributor, and expands the > available attack surface of the service, thus giving attackers > several more lines of attack. > > --------------------- > > -- > Sincerely, > Yngve N. Pettersen > ******************************************************************** > Senior Developer Email: yngve@opera.com > Opera Software ASA http://www.opera.com/ > Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 > ******************************************************************** > --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Friday, 6 June 2008 17:26:48 UTC