- From: peter williams <home_pw@msn.com>
- Date: Tue, 8 Mar 2011 13:17:26 -0800
- To: "'Henry Story'" <henry.story@bblfish.net>
- CC: "'Yngve Nysaeter Pettersen'" <yngve@opera.com>, <public-xg-webid@w3.org>
Ok. I'm starting to feel that it's worth it. I feel we have gone from denial, ostrich-head-in-the-sand, and religious statements about ideals, to figuring what 1% we can add to the pretty sordid baseline that makes it better. What's good about https today, unlike 15 years ago, is that we are all inverting the paradigm: that any browser is also a server (and thus issuing a user cert is one of issuing a "server" cert, if you look backwards through the looking glass). This is why I think we get to struggle with user certs for client authn , and EV certs for server auth. Because, increasingly, they are one and the same thing (once everyone has their own site). Now comes the policy aspect, as someone indicated. And, here I don't know how to deal with it, in issues. It goes to the heart of what W3C is about, I suspect. There are THOSE who BY POLICY do not wish to see a world in which folks can peer, without intermediation, particularly when its crypto-peering. How do we deal with that here? Usually, it means punting to a "trust framework" in which different policies can co-exist (much like RFC 1422 was the unstated, de-facto, multi-policy trust framework for the web and its use of certs). Is this the cue for us to become more involved in the discussions on "trust frameworks", and have an opinion? Should that opinion be 40% user, 60% corporate biased (hoping to cancel out the dominant corporate biases of other groups) - aiming to find a middle ground somewhere that simply works to avoid: 1% user, 99% corporate, like the 1960s phone systems? Is there an alliance to be had with CAB Forum on formulating "revised policy for firewalls" which can accommodate webid SSL sessions, perhaps? After all, that's where all the browser vendors are, when they are thinking about https. -----Original Message----- From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story Sent: Tuesday, March 08, 2011 11:57 AM To: peter williams Cc: 'Yngve Nysaeter Pettersen'; public-xg-webid@w3.org Subject: Re: report on EV and SSL MITM proxying On 8 Mar 2011, at 20:37, peter williams wrote: > So, the trick to SSL MITMing is to stop thinking that the SSL MITM > properties (setup for document retrieval) have to make life difficult > for client authn. There CAN be multiple sessions, distinguished by > function. One can be intermediated, one note. One can hope EV solves the "intermediated" > issues, for the document retrieval function. One can hope that > firewall vendors (and society) can be persuade of the logic of not > interfering with those sessions aiming at user-authn to public sites. yes, this is an interesting idea to add to ISSUE-28: How does the WebID protocol interact with TLS proxies & firewalls The other trick was the Proxy Certificates we discussed last week I think. http://www.ietf.org/rfc/rfc3820.txt And there is also the option of thinking of the firewall as being your larger Operating system. Your computer is a small process in the company computer, and you are an agent in that larger space. If that is a correct way to describe your situation then it's perfectly ok if the larger OS controls your CA list, and and controls your WebID. Someone could put this altogether and write up a page on the wiki to detail these options. Henry Social Web Architect http://bblfish.net/
Received on Tuesday, 8 March 2011 21:18:22 UTC