Re: ISSUE-183, ISSUE-169 from Mary Ellen Zurko on 2008-05-14 (public-wsc-wg@w3.org from May 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 14 May 2008 01:26:46 -0400
To: steele@adobe.com
Cc: public-wsc-wg@w3.org
Message-ID: <OFF2A9D1EC.55AAFCA5-ON85257449.001DCA80-85257449.001DEA04@LocalDomain>

This is not an area I am personally strong on. I know we have been 
continually concerned with habituation in terms of presenting warnings for 
things that are common, and commonly not dangerous. I think this would 
fall into that category. Anyone else remember specifics or examples? 

          Mez





From:
"Joe Steele" <steele@adobe.com>
To:
<public-wsc-wg@w3.org>
Date:
05/12/2008 06:20 PM
Subject:
Re: ISSUE-183, ISSUE-169



I realized after reading sections 5.1.5 and 5.5.1 again (and again and 
again?) that this does not exclude searching an external pinning cache 
automatically. I am happy with this, since this is a specific case that 
implementers may care about (I certainly do). Mez, please keep reminding 
me to read the spec thoroughly before speaking. J
 
However a related issue came up ? it looks like a user agent can 
automatically pin a self-signed certificate to a site which did not 
already have a pinned certificate and still be conformant. These are the 
relevant bits of text:
 
Section 5.1.5 Self-signed certificate and Untrusted Root Certificates
?If a client is able to automatically accept a self-signed certificate, or 
recover from similar problem without user interaction, it MUST NOT do so 
unless the client also have a history mechanism about security 
information.?
 
Section 5.5.1 TLS errors
?3. Otherwise, user agents MAY use error signaling of class notification 
to offer pinning ??
 
Section 6.4.2 Notifications and Status Indicators
?These indicators MAY include user interaction ??
 
Shouldn?t the error signaling be of class warning (section 6.4.3) to 
ensure the user must interact to pin a new certificate to the site? This 
would be consistent with #2 in section 5.5.1 as well. 
 
After reading through the minutes on the 2/6 teleconference, it looked 
like the decision was made to not warn strongly in this case. I am not 
clear on why though. It seems like some of the discussion about this was 
not captured. Or I am not finding it. J Either way I would appreciate 
clarification. I remember some discussion of this on the last 
teleconference, but I did not capture it in my notes. 
 
BTW ? I will be attempting to dial in to Oslo tonight.
 
Joe

Received on Wednesday, 14 May 2008 05:27:57 UTC