- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 6 Oct 2008 13:54:59 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2008-09-24 were approved and are
available online here:
http://www.w3.org/2008/09/24-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
24 Sep 2008
See also: [2]IRC log
Attendees
Present
Mary Ellen Zurko, Thomas Roessler, Yngve Pettersen, Maritza
Johnson, Jan Vidar Krey, Tyler Close, Rachna Dhamija, Bill
Doyle, Dan Schutzer
Regrets
Ian Fette, Joe Steele, Anil Saldhana
Chair
Mary Ellen Zurko
Scribe
Tyler Close
Contents
* [3]Topics
1. [4]Minutes approved
2. [5]Pending Actions
3. [6]Open Action items
4. [7]Agenda Bashing
5. [8]Last call comments from Vijay
* [9]Summary of Action Items
__________________________________________________________________
Minutes approved
Pending Actions
mez: nothing that needs discussion in the telecon
<Mez> [10]http://www.w3.org/2006/WSC/track/actions/open
Open Action items
Agenda Bashing
Mez: We will be looking at the comments from Vijay of the IETF
applications area.
... Want to do more with the Features at Risk over the next couple of
weeks.
<Mez>
[11]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0019.html
Last call comments from Vijay
Mez: Thanks to Lisa for coordinating this feedback
... There's an RFC reference that needs to be corrected
TLR: on it!
Mez: There's an editorial comment in about the second paragraph
TLR: got that one too
<tlr> +1 to MEz
Mez: Vijay believes our interpretation of the AA-qualified certificate
fields is incorrect
... Thought the use of the OID in the certificate was the correct
mechanism
TLR: thinks this might be an issue with the clarity of the text
... will try to clarify
Mez: Looking at the question about the SAN field.
Yngve: There are requirements on what must be in these certificates
Mez: So we should specify that certificates that are missing required
fields are not AA?
Yngve: Some close checking of the specification is needed here
... Need to check into the exact contents of the SubjectAltName
<tlr> ACTION: yngve to check EV expectations for subjectAltName
[recorded in
[12]http://www.w3.org/2008/09/24-wsc-minutes.html#action02]
<trackbot> Created ACTION-517 - Check EV expectations for
subjectAltName [on Yngve Pettersen - due 2008-10-01].
Mez: Moving on to the comment on Section 5.1.5
... We didn't think we needed to specify a number of visits.
... Anyone have other opinions?
... OK, so no we don't think we need to specify a number of visits
... Moving on to section 5.1.6
TLR: Tyler has an ACTION here
tyler: Part of the response is the new petname rec text
Mez: Section 5.4.1
<Mez> [13]http://www.w3.org/TR/wsc-ui/#sec-tlserrors
Mez: I think "these interactions" refers to interactions resulting from
a TLS error
... I think part of the confusion comes from ambiguity about which
certificates the comment is about
TLR: Yes, I think we need to clarify the text here.
... thinking...
<Mez> When certificate information is presented in these interactions,
human-readable information derived from the certificates in question
(and any other certificates not trusted) MUST NOT be presented as
trustworthy. Examples of such certificate information within those
certificates not to be presented as trustworthy include Common Name or
Organization attributes.
<tlr> ACTION: thomas to refine text above this action in the minutes
[recorded in
[14]http://www.w3.org/2008/09/24-wsc-minutes.html#action03]
<trackbot> Created ACTION-518 - Refine text above this action in the
minutes [on Thomas Roessler - due 2008-10-01].
Mez: Moving on to comment on Section 6.1.1
<Mez> [15]http://www.w3.org/TR/wsc-ui/#identity-requirement
TLR: This is about IETF view that DNS names shouldn't be used in the CN
field, although the Internet currently works that way.
<tlr> ... then it MUST include an applicable DNS name. The DNS name
MUST be derived from a subjectAltName extension. If this extension is
not present, and a DNS name is included with the certificate's Common
Name attribute, then the latter MUST be used.
Yngve: Perhaps we should just reference the rules in HTTPS RFC, and so
just say "according to the rules".
TLR: I fear it is actually specified in 2817
... the TLS upgrade spec
<tlr> [16]http://www.ietf.org/rfc/rfc2818.txt
<tlr> RFC 2818 section 3.1
Yngve: RFC 2818 is informational
... its old
tyler: Think we don't want to reference any of the fields in the
certificate, but use the hostname from the URL, as validated by the
certificate. After all, there may be multiple hostnames in the
certificate.
<tlr> *.w3.org -> w3.org if there's a wildcard?
rachna: What are we trying to convey to the user?
... do we want the user to know there is a wildcard certificate in use?
tlr: I am worried about a wildcard cert letting the attacker choose an
arbitrary string to present to the user
tyler: Perhaps the base domain concept could be useful here.
tlr: Don't want to use that here
... For example, phisher has cert for *.foo.com and puts up a site at
bankofamerica.foo.com
... Perhaps show the longest validated part of the hostname.
... which would be similar to the base domain concept
<Mez> cutting off the asterisk is a little odd
<Mez> .foo.com and foo.com look pretty similiar
<Mez> in the former case it's a "good" match, in the latter, it's not
TLR: prefers string transform to the base domain algorithm which uses a
separate database
<tlr> "E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com
matches foo.com but not bar.com."
<tlr> (from 2818)
Yngve: Opera shows the wildcard value from the certificate.
TLR: Let's also look at how the other browsers are handling this
Yngve: discussing the particulars of wildcard matching in PKIX
<tlr> ACTION: thomas to solicit input on wildcard implementation
[recorded in
[17]http://www.w3.org/2008/09/24-wsc-minutes.html#action04]
<trackbot> Created ACTION-519 - Solicit input on wildcard
implementation [on Thomas Roessler - due 2008-10-01].
<tlr> ACTION: thomas to draft explanation of wildcard & scaling of
attacks [recorded in
[18]http://www.w3.org/2008/09/24-wsc-minutes.html#action05]
<trackbot> Created ACTION-520 - Draft explanation of wildcard & scaling
of attacks [on Thomas Roessler - due 2008-10-01].
<tlr> ISSUE: What information should be shown in the identity signal if
no human readable information except for domain names is available?
(6.1.1, LC-2088)
<trackbot> Created ISSUE-216 - What information should be shown in the
identity signal if no human readable information except for domain
names is available? (6.1.1, LC-2088) ; please complete additional
details at [19]http://www.w3.org/2006/WSC/track/issues/216/edit .
Mez: Moving on to Section 7.1.1
<Mez> [20]http://www.w3.org/TR/wsc-ui/#sharedsecret-goodpractice
Mez: I thought this whole section was about the user agent rather than
the server. So am looking for the place where Vijay found the text
about the server
... Ah I see in section 7.1.1 we talk about a site spoofing the browser
Yngve: Perhaps the first sentence should call out the motivation for
having a trusted path.
<tlr> oooops, wasn't totally tuned in
<tlr> ACTION: mez to propose clarification for 7.1.1 [recorded in
[21]http://www.w3.org/2008/09/24-wsc-minutes.html#action06]
<trackbot> Created ACTION-521 - Propose clarification for 7.1.1 [on
Mary Ellen Zurko - due 2008-10-01].
Mez: Give me an ACTION to propose clearer text
... 6.1.1 looks like it requires the most thought, though the petnames
comments may also
... What are the next steps.
TLR: We're still reviewing the comments. Will need to draft a response
eventually.
<tlr>
[22]http://lists.w3.org/Archives/Public/public-usable-authentication/20
08Sep/
Summary of Action Items
[NEW] ACTION: mez to propose clarification for 7.1.1 [recorded in
[23]http://www.w3.org/2008/09/24-wsc-minutes.html#action06]
[NEW] ACTION: thomas to draft explanation of wildcard & scaling of
attacks [recorded in
[24]http://www.w3.org/2008/09/24-wsc-minutes.html#action05]
[NEW] ACTION: thomas to put information about upcoming f2f on group
homepage [recorded in
[25]http://www.w3.org/2008/09/24-wsc-minutes.html#action01]
[NEW] ACTION: thomas to refine text above this action in the minutes
[recorded in
[26]http://www.w3.org/2008/09/24-wsc-minutes.html#action03]
[NEW] ACTION: thomas to solicit input on wildcard implementation
[recorded in
[27]http://www.w3.org/2008/09/24-wsc-minutes.html#action04]
[NEW] ACTION: yngve to check EV expectations for subjectAltName
[recorded in
[28]http://www.w3.org/2008/09/24-wsc-minutes.html#action02]
[End of minutes]
__________________________________________________________________
References
1. http://www.w3.org/
2. http://www.w3.org/2008/09/24-wsc-irc
3. http://www.w3.org/2008/09/24-wsc-minutes.html#agenda
4. http://www.w3.org/2008/09/24-wsc-minutes.html#item01
5. http://www.w3.org/2008/09/24-wsc-minutes.html#item02
6. http://www.w3.org/2008/09/24-wsc-minutes.html#item03
7. http://www.w3.org/2008/09/24-wsc-minutes.html#item04
8. http://www.w3.org/2008/09/24-wsc-minutes.html#item05
9. http://www.w3.org/2008/09/24-wsc-minutes.html#ActionSummary
10. http://www.w3.org/2006/WSC/track/actions/open
11. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0019.html
12. http://www.w3.org/2008/09/24-wsc-minutes.html#action02
13. http://www.w3.org/TR/wsc-ui/#sec-tlserrors
14. http://www.w3.org/2008/09/24-wsc-minutes.html#action03
15. http://www.w3.org/TR/wsc-ui/#identity-requirement
16. http://www.ietf.org/rfc/rfc2818.txt
17. http://www.w3.org/2008/09/24-wsc-minutes.html#action04
18. http://www.w3.org/2008/09/24-wsc-minutes.html#action05
19. http://www.w3.org/2006/WSC/track/issues/216/edit
20. http://www.w3.org/TR/wsc-ui/#sharedsecret-goodpractice
21. http://www.w3.org/2008/09/24-wsc-minutes.html#action06
22. http://lists.w3.org/Archives/Public/public-usable-authentication/2008Sep/
23. http://www.w3.org/2008/09/24-wsc-minutes.html#action06
24. http://www.w3.org/2008/09/24-wsc-minutes.html#action05
25. http://www.w3.org/2008/09/24-wsc-minutes.html#action01
26. http://www.w3.org/2008/09/24-wsc-minutes.html#action03
27. http://www.w3.org/2008/09/24-wsc-minutes.html#action04
28. http://www.w3.org/2008/09/24-wsc-minutes.html#action02
Received on Monday, 6 October 2008 11:56:02 UTC