- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Fri, 2 Jan 2009 14:38:35 -0500
- To: tyler.close@hp.com
- Cc: public-wsc-wg@w3.org
- Message-ID: <OF3DBFF4F8.CA3BDAD4-ON85257532.006BBA52-85257532.006BEDD8@LocalDomain>
In: http://www.w3.org/2008/09/24-wsc-minutes.html We thought that the new petname text would take care of this LC comment: _________________________ Section 5.1.6: I have not used petnames, nor do I know much about their usage in the context of this document, so treat the rest of this comment as feedback tinged with curiosity from someone uninitiated with the workings of W3C and unaware of how pervasive the petname concept is in that domain (certainly, I do not think I have ran across a current browser that uses petnames in its chrome.) Please treat this as a pure comment and not anything that needs resolution. It seems to me that the petname is a concept layered on top of the information present in X.509 certificates. As such, it is a level of abstraction above the X.509 certificate. Especially, the petname implementor would have to account for wildcards, delegation, etc. If care is not taken to write a good implementation, then security could be -- I think -- compromised by someone modifying the contents of the petname database, or by other means. If any action item results from this comment at all, it would be along one or more references on more information into the petname concept, especially any papers that outline the threat model of using such a concept. I Googled and ran across http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname, but that does not contain a threat analysis of this concept. It does, however, explain very well the concept of a petname. _________________________ Is there a petname reference we could also put in? I believe that would be useful, and a good response to this part.
Received on Friday, 2 January 2009 19:39:37 UTC