Re: EV hack from Thomas Roessler on 2009-05-20 (public-wsc-wg@w3.org from May 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 20 May 2009 12:45:54 +0200
To: ifette@google.com
Cc: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org
Message-Id: <8BDB6B95-741C-4424-B96A-ED3AEA464F89@w3.org>

On 20 May 2009, at 01:16, Ian Fette (イアンフェッティ) wrote:

> We discussed this at length in the f2f (Oslo?).

Oslo indeed.  See Yngve's notes at the time:
   http://my.opera.com/yngve/blog/2008/05/23/lowering-the-ev-bar


> I strongly oppose changing this. If DV is not relaible for DV then  
> it needs to be fixed. I for one am not ready to say it's EV or  
> nothing.
>
> 2009/5/19 <michael.mccormick@wellsfargo.com>
> Friends,
>
> Many of you are no doubt aware of green bar spoofing attacks against  
> EV SSL indicators like this one:
> http://www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/
>
> Agents could prevent this in most cases by requiring all displayed  
> content to be AA secured (not just top level document) before  
> displaying the AA indicator.  In private discussions with Wells, one  
> browser manufacturer has already agreed to do exactly this in a  
> future release.
>
> Section 5.3 of WSC-UI (current working draft) says:
>
> A Web User Agent that can display an AA indicator MUST NOT display  
> this indicator unless all elements of the page are loaded from  
> servers presenting a validated certificate, over strongly TLS- 
> protected interactions.
>
> This helps mitigate the spoof risk, but I urge you to add a  
> statement such as:
>
> A Web User Agent that can display an AA indicator SHOULD NOT display  
> this indicator unless all elements of the page are loaded from  
> servers presenting an Augmented Assurance Certificate (AAC) over  
> strongly TLS-protected interactions.
>
> Regards, Mike
>
> Michael McCormick, CISSP
> Lead Architect
> Strategic Information Security Architecture
> Wells Fargo Bank
> “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF  
> WELLS FARGO"
> This message may contain confidential and/or privileged  
> information.  If you are not the addressee or authorized to receive  
> this for the addressee, you must not use, copy, disclose, or take  
> any action based on this message or any information herein.  If you  
> have received this message in error, please advise the sender  
> immediately by reply e-mail and delete this message.  Thank you for  
> your cooperation.
>
>
>
>

Received on Wednesday, 20 May 2009 10:46:04 UTC