- From: Graham Klyne <GK@ninebynine.org>
- Date: Tue, 20 Dec 2011 09:25:20 +0000
- To: www-tag@w3.org
I'm offline as I reply, so I can't offer a link (*), but it's probably worth noting that the IETF currently has a web application security activity with some strong security experts engaged. IIRC, the group tag is "WebSec". #g -- (*) The following message excerpt should point a path to the right places [[ List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org> List-Archive: <http://www.ietf.org/mail-archive/web/websec> List-Post: <mailto:websec@ietf.org> List-Help: <mailto:websec-request@ietf.org?subject=help> List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe> Sorry for delay, I now uploaded minutes from Taipei: <http://www.ietf.org/proceedings/82/minutes/websec.txt> ]] On 19/12/2011 23:44, Harry Halpin wrote: > While I understand the CA system is somewhat outside your usual remit, > let me add this to your pile of woes. I'm doing this because 1) the > system has so stunningly came apart at the seams last year that it > seems all parties involved in the Web (ISOC, W3C, etc.) should be > actively looking at this issue and 2) there are now three different > proposals for fixing this. > > There's currently a giant gaping security issue on the Web, namely > that the it's quite easy to fake the root certificates of a CA and so > compromise TLS connections - and thus most high-value transactions on > the Web in a way that is *very* hard to detect. For a detailed > explanation of the problem, Moxie of Whisper Systems has an excellent > video [1]. There's been a number of very high-profile compromises, > such as the Diginotar [2] and Comodo attacks [3]. Overall, probably > problem #1 for security on the Web. It undermines all financial > transactions on the Web - I'd bet money Paypal stays awake at night > thinking about this. It's also a life and death situation for human > rights activists in Syria, Iran, and elsewhere - who may not stay > awake another night if the cert for their Gmail or Facebook account is > faked. > > Now, over the last weeks I've seen about 3 different proposals that > are quite serious: > > 1) Google's Proposal (Ben Laurie and Adam Langsley): Basically make a > public audit log of registered certs, and then the client/domain > owners can check their certs versus that log. That probably has some > browser component for checking all of this [5]. > > 2) Sovereign Key proposal from EFF (Peter Eckersley): Similar to > Google's proposal but more complex, uses an audit log of a "Sovereign > Key" rather than certs [4] > > 3) Convergence Proposal from Whisper Systems/Twitter (Moxie > Marlinspike): Features a more decentralized CA-like system with > user-based "trust agility" where users can choose which CA-like > "notary" to trust via browser [6] > > At TPAC, I talked to some of the browser team folks about this, > everyone agreed the CA/Browser Forum is dysfunctional (i.e. a front > for the current broken CA system) and they would be happy to see W3C > or someone move in this space [6]. Google notes "We now have an > outline of the basic idea and will be continuing to flesh it out in > the coming months, hopefully in conjunction with other browser > vendors." [5] > > So maybe time for W3C to move? While I understand the TAG only makes > "findings", I suggest that given the overlap between the Google and > EFF proposal, I'm pretty sure there's a solution space going on here > even if it's outside of the TAG's expertise, and that solution space > will probably involve - browsers, and interaction with the CA/Browser > Forum.. Sounds like it's time for W3C to make a move. I'd do an > analysis of the topic, but also suggest that this problem is big > enough to warrant getting folks together on ASAP. > > Who: I'd suggest that we return to the idea of hosting a workshop on > this topic, and since it's a large topic, I suggest W3C co-host with > the CA/Browser forum and maybe ISOC/IAB. > When: Soon as possible. > > [1]http://www.youtube.com/watch?v=Z7Wl2FW2TcA > [2]http://www.guardian.co.uk/technology/2011/sep/05/diginotar-certificate-hack-cyberwar > [3]http://news.cnet.com/8301-1009_3-20050503-83.html > [4]https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure > [5]http://www.imperialviolet.org/2011/11/29/certtransparency.html > [6]http://convergence.io/ >
Received on Tuesday, 20 December 2011 10:13:25 UTC