Re: ISSUE-169 Section 5.5.3 creates a burden on browsers to remember past certificates

Hey Thomas,

The text below was proposed by me, and is in the document, and is  
probably enough to close the issue.  But in side conversations with  
Mez, I ruminated over the fact that it's not clear to me whether this  
renders, e.g., Firefox 3 non-compliant.  I *think* we'd be fine,  
because this line seems to carry the day:

>> The requirements in this section do not require user agents to
>>  store information about past interactions longer than they
>>  otherwise would.

But the thing is, we DO store plenty of information about past  
interactions: browsing history, bookmarks, saved passwords, cookies,  
as examples.  But we do NOT store historical TLS information.  I  
*think* that's still okay, that since we are not expunging it but  
rather failing to store it in the first place, and since "the  
requirements in this section do not..." we are okay.  But it's not  
immediately clear to me as an implementor, whether or not I am in  
compliance.  As I said to Mez, the spec's language needn't concern  
itself with whether or not Firefox 3 is in compliance, but it *should*  
concern itself with whether or not an implementor can easily answer  
such questions.

I guess my proposal text to disambiguate things a little further would  
be to make the first line more explicit:

"The requirements in this section do not require user agents to store  
information about past TLS interactions longer than they otherwise  
would, they only serve to govern the treatment of that information, if  
stored."

That text makes it clear to me that Firefox 3, storing no historical  
TLS information, is "trivially compliant" with a section governing the  
use of it, if stored.  If the group is okay with "trivial compliance"  
here, then I think my text will work, and we can close the issue.   
However, if people think that compliance with this spec *should*  
demand storage of historical TLS information, then we should leave the  
text as-is (or even make it more explicit), close the issue, but  
recognize that Firefox 3 won't be a compliant implementation to point  
to.

Cheers,

Johnathan

PS - And yes, I know, I'm beefing about my own text.  I am a silly,  
silly man.

On 9-May-08, at 8:33 AM, Thomas Roessler wrote:

>
> I thought that issue was taken care of with the following language
> (by Johnathan):
>
>  The requirements in this section do not require user agents to
>  store information about past interactions longer than they
>  otherwise would. Historical TLS information stored for the
>  purposes of evaluating security relevant changes of behavior MAY
>  be expunged from the user agent on the same schedule as other
>  browsing history information. Historical TLS information MUST NOT
>  be expunged prior to other browsing history information. For
>  purposes of this requirement, browsing history information
>  includes visit logs, bookmarks, and information stored in a user
>  agent cache.
>
> Last pargarph of text above this heading:
>
>  http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#errors-blacklists
>
> -- 
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
> On 2008-05-09 08:23:35 -0400, Mary Ellen Zurko wrote:
>> From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
>> To: Johnathan Nightingale <johnath@johnath.com>
>> Cc: public-wsc-wg@w3.org
>> Date: Fri, 9 May 2008 08:23:35 -0400
>> Subject: ISSUE-169 Section 5.5.3 creates a burden on browsers to  
>> remember past  certificates
>> List-Id: <public-wsc-wg.w3.org>
>> X-Spam-Level:
>> Authentication-Results: mx.google.com; spf=pass (google.com: domain  
>> of public-wsc-wg-request@listhub.w3.org
>> 	designates 128.30.52.56 as permitted sender) smtp.mail=public-wsc-wg-request@listhub.w3.org
>> Archived-At: <http://www.w3.org/mid/OF757DA4C0.47CB9B90-ON85257444.0043F315-85257444.004413CE@LocalDomain 
>> >
>> X-Bogosity: Ham, tests=bogofilter, spamicity=0.026623, version=1.1.6
>>
>> This issue needs to be made "good" with a concrete straw proposal,  
>> since
>> we've already gone through this section in detailed discussions.  
>> Anyone
>> still care enough about it to do that?
>>
>> http://www.w3.org/2006/WSC/wiki/WriteGoodIssue
>>
>>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Friday, 9 May 2008 13:01:39 UTC