- From: Anil Saldhana <Anil.Saldhana@redhat.com>
- Date: Mon, 12 May 2008 16:49:28 -0500
- To: Joe Steele <steele@adobe.com>, "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Hi Joe, I am copying the list for feedback from Yngve (on the history mechanism). Regarding the usage of "Client" rather than User Agent, I had a similar question when I put in the text but kind of remembered the discussion during the meeting about the scope of the spec (whether only limited to web browsers or even text based browsers etc). Anybody else remembers or has issues with the word - Client. Regards, Anil Joe Steele wrote: > Hi Anil, > > I have a question -- > > It is not clear to me what is meant by "a history mechanism about > security information ". Can you point me to some clarifying text? I can > think of different kinds of security history which would not be useful > here. > > And some picky comments -- > > Shouldn't the text refer to "user agent" instead of "client"? > > You should change "client also have" to "client also has". > > Thanks, > > Joe > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > On Behalf Of Anil Saldhana > Sent: Sunday, May 11, 2008 2:32 PM > To: Web Security Context Working Group WG > Subject: Re: ISSUE-183: Automatic Selfsigned Certificate > acceptance/probation MUST NOT be implemented unless there is a history > capability [wsc-xit] > > > The associated action, ACTION-418 has been completed. This issue is > ready to be closed. > > Web Security Context Working Group Issue Tracker wrote: >> ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST > NOT be implemented unless there is a history capability [wsc-xit] >> http://www.w3.org/2006/WSC/track/issues/ >> >> Raised by: Yngve Pettersen >> On product: wsc-xit >> >> If a client is able to automatically accept a Selfsigned Certificate, > or recover from similar problem without user interaction, it MUST NOT do > so unless the client also have a history mechanism about security > information. >> The reason for this is that if there is no information about the > previous security state available, an attacker can exploit such > automatic actions to stage a Man-In-the-Middle attack by replacing the > original site's certificate. >
Received on Monday, 12 May 2008 21:50:16 UTC