RE: nasty nasty bug in chrome from Peter Williams on 2011-02-09 (public-xg-webid@w3.org from February 2011)

From: Peter Williams <home_pw@msn.com>
Date: Wed, 9 Feb 2011 06:42:38 -0800
To: <ltorokjr@gmail.com>
CC: <nathan@webr3.org>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-w3E8958945F7AA971FD8A992ED0@phx.gbl>

The definition given so far (and I know its an informal email, off the cuff...) seems quite weak.
 
If you have a smartcard involved in the SSL, you have assurances that are not really present in the simplistic PC-as-cryptomodule case. This is particularly the case with national Id smartcards - which are NOT JUST throwaway visa smartcards/javacards, or chip-and-pin SDA/DDA cards in the UK. They have a much deeper social integraiton.
 
One has to remember, in professional  "transmission security" (distinguished from "communications security"), that ciphers can be represented in different ways in their implementation. One "representation" can be sending off implementation signals that can be tracked by signals analysis, and another does not - even though its the same math. IN the case of SSL, you have to remember that SSL uses a framing bearer (much like the internet and ipsec have to deal with packet fragmentation) and the servers gets to induce signals into the very fragmentation of IP or SSL record layer - which tune a software circuit listening for the pattern (think like an old radio engineer...). These signals are allowed - SINCE TLS 1.0 only - to be be being passed back EVEN IN THE HANDSHAKE PROTOCOL via the PC/SC smartcard driver to the smartcard. this MAY do something like change its forensics (from trusted cizien, to suspect, to charged, to docked.... to prisoner (still with a health smartcard).... to probationer...)
 
I not sure how deep W3C wants to get into the crypto aspects of all this; whether it wants to perhaps craft just "a framework" in this  aspect, so other can add value perhaps. There seems a want to think hold the line at webbyiness, which seems to assume the world is nice happy world, where "naugtiness" is defined by the trust and malice model of the typical 5 year old. 
 
What suits the 16 year old wanting webids may well not suit the military office LAN or google/azure/amazon cloud. It obviously doesnt suit military/diplomatic strategic or tactical communications.
 



Date: Wed, 9 Feb 2011 15:08:49 +0100
From: ltorokjr@gmail.com


 

  I dont know what an incognito window is.

Nathan is probably refering to the "mode" that is also available in Firefox as "Start private browsing".

This means all cookies and any kind of previous browsing history that might help identify you at the server is reset/unavailable. It should mimic/replicate the situation of landing on a website for the first time. Any kind of action taken during this private browsing session is purged after you terminate the session (i.e close the window)

Received on Wednesday, 9 February 2011 14:43:34 UTC