- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Sat, 31 May 2008 21:29:08 +0200
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
First take (EV used instead of AA): --------------------- The EV indicator tells the user that the owner and author of the webpage being displayed can be identified using information from the associated EV certificate. If a EV page includes content from other strongly TLS-protected resources that are not identified by EV certificates, the authors for these third party parts of the document cannot be identified to the same extent as for the main document. Given that certain types of content, for example external scripts and styling can change the containing document's entire appearance, and framed content and plugins can be where the user's main interaction occurs, the user's real interaction may be with content created by a completely different author than the one identified by the main document's EV certificate. Such change in content origination will not be readily apparent to the user, and main document authors should be cautious when using third party content, and to the best of their ability verify the identity of these contributors. Using third party content also makes the main document reliant upon the security of the third party contributor, and expands the available attack surface of the service, thus giving attackers several more lines of attack. --------------------- -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Saturday, 31 May 2008 19:31:44 UTC