Edit comment LC-2088 for Web Security Context Working Group

Quick access to LC-2056 LC-2057 LC-2058 LC-2059 LC-2087 LC-2088 LC-2092 LC-2093 LC-2094 LC-2095 LC-2129

Comment LC-2088

Comment Shortname:

Commenter: Vijay K. Gurbani <vkg@alcatel-lucent.com>

Message-id:

Section of the document concerned:

[Free text description]Document as a wholeWeb Security Context: User Interface Guidelines... Web Security Context: User Interface Guidelines W3C Working Draft 24 July 2008 Abstract Status of this Document Table of Contents 1 Overview 2 Acknowledgments 3 Conformance 3.1 Product classes 3.2 Language conventions 3.3 Conformance levels 3.4 Conformance claims 4 Interaction and content model 4.1 Overview 4.2 Terms and definitions 4.2.1 Common User Interface elements 5 Applying TLS to the Web 5.1 Certificate Handling and Information 5.1.1 Interactively accepting trust anchors or certificates 5.1.2 Augmented Assurance Certificates 5.1.3 Validated Certificates 5.1.4 Logotype Certificates 5.1.5 Self-signed Certificates and Untrusted Root Certificates 5.1.6 Petnames 5.2 Types of TLS 5.3 Mixed Content 5.4 Error conditions 5.4.1 TLS errors 5.4.2 Error Conditions based on Third Party or Heuristic Information 5.4.3 Redirection chains 5.4.4 Insecure form submission 6 Indicators and Interactions 6.1 Identity and Trust Anchor Signalling 6.1.1 Identity Signal 6.1.2 Identity Signal Content 6.2 Additional Security Context Information 6.3 TLS indicator 6.4 Error handling and signalling 6.4.1 Common Error Interaction Requirements 6.4.2 Notifications and Status Indicators 6.4.3 Warning/Caution Messages 6.4.4 Danger Messages 6.5 Chrome Reconfiguration 7 Robustness 7.1 Chrome and User Interface Practices 7.1.1 Use Shared Secrets to Establish a Trusted Path 7.1.2 Keep Security Chrome Visible 7.2 Do not mix content and security indicators 7.3 Managing User Attention 7.4 APIs Exposed To Web Content 7.4.1 Obscuring or disabling Security User Interfaces 7.4.2 Software Installation 7.4.3 Bookmarking APIs 7.4.4 Pop-up Window APIs 8 Security Considerations 8.1 Active attacks during initial TLS interactions 8.2 Certificate Status Checking Failures 8.3 Certificates assure identity, not security 8.4 Binding "human readable" names to domain names 8.5 Warning Fatigue 8.6 Mixing Augmented Assurance and Validated Certificates 9 References
or

Refinement of the section concerned:

Status:

open proposal pending resolved_yes resolved_no resolved_partial other assigned to Nobody

Type: substantive editorial typo question general comment undefined

Resolution status:

Response drafted Resolution implemented Reply sent to commenter

Response status:

No response from Commenter yet Commenter approved disposition Commenter objected to disposition
Commenter's response (URI):

Comment:

Lisa Dusseault wrote:
>> Although this is an external spec, it would be great to get a
>> couple of IETF reviewers. I'll send this to secdir as well.
[...]
>> The Web Security Context WG announces the publication transition of
>> Web Security Context: User Interface Guidelines.
>> Review ends on on September 15 2008.

All: I reviewed wsc-ui for the IETF APPS area; review is
attached. For any follow-ups, please CC me to the email
since I do not subscribe to the public-usable-authentication@w3.org
list. Thank you.

Review: Web Security Context: User Interface Guidelines,
W3C Working Draft 24 July 2008
Review date: Sept. 3, 2008
Due date: Sept. 15, 2008
Reviewer: Vijay K. Gurbani <vkg@bell-labs.com>

Global: At various places, the draft refers to RFC 3280. That
RFC is obsolete, having been replaced by RFC 5280.

Nit: In Section 5.1.2 second paragraph, second line, small typo:
s/document but/document, but/

The rest of the comments refer to specific sections. In crafting
my feedback below, I quote the specific text in the section first
by indenting two spaces, and follow that with the particular comment
I have on that text.

Section 5.1.2:

Web user agents MUST establish that a trust anchor is
[Definition: AA-qualified ] through some out of band mechanism
consistent with the relevant underlying augmented assurance
specification.

Marking a trust anchor as AA-qualified is a security-critical
step and most often will involve the use of some application-
specific out-of-band mechanism.

A couple of paragraphs before the above quoted paragraphs, it is stated
that a Web user agent may adequately trust a certificate if it is
specially marked using an OID, for instance. But yet the two paragraphs
quoted above appear to be making a case against that statement by
implying that a Web user agent MUST only trust a trust anchor using some
OOB means. So, which is it: an OOB means or a well-known OID?

Section 5.1.2:

If the certificate's Subject field does not have an
Organization attribute, then user agents MUST NOT consider the
certificate as an augmented assurance certificate, even if it
chains up to an AA-qualified trust root. User agents MAY
consider such a certificate as an ordinary validated certificate.

What happens if a certificate's Subject field is empty, but the
SubjectAltName extension is marked critical and the subject's
identity is specified in the SAN field? All things being equal
(i.e., an OID marks the certificate), would such a certificate be
considered trusted?

Section 5.1.5:

... Such behavior includes, e.g., warning users about changes of
certificates, and not showing warning messages if a site shows
a certificate consistent with previous visits.

Just curious: do we need to specify how many times the site has to
present the same self-signed cert before being considered trusted?
I think ssh asks for confirmation from the user on the first instance;
after that, connections to the same ssh server are deemed trusted.

Section 5.1.6: I have not used petnames, nor do I know much about their
usage in the context of this document, so treat the rest of this comment
as feedback tinged with curiosity from someone uninitiated with the
workings of W3C and unaware of how pervasive the petname concept is
in that domain (certainly, I do not think I have ran across a current
browser that uses petnames in its chrome.) Please treat this as a
pure comment and not anything that needs resolution.

It seems to me that the petname is a concept layered on top of the
information present in X.509 certificates. As such, it is a level of
abstraction above the X.509 certificate. Especially, the petname
implementor would have to account for wildcards, delegation, etc.
If care is not taken to write a good implementation, then security could
be -- I think -- compromised by someone modifying the contents of the
petname database, or by other means.

If any action item results from this comment at all, it would
be along one or more references on more information into the
petname concept, especially any papers that outline the threat
model of using such a concept. I Googled and ran across
http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname,
but that does not contain a threat analysis of this concept. It
does, however, explain very well the concept of a petname.

Section 5.4.1

When certificate information is presented in these interactions,
human-readable information derived from the certificates
(e.g., Common Name or Organization attributes) in question MUST NOT
be presented as trustworthy.

Suggest to clarify what "these interactions" means. Do you mean that
information derived only from self-signed certificates must not be
presented as trustworthy? Or do you mean that information derived from
certificate issued by a CA whose certificate path has been verified is
also untrustworthy? I think you mean the former, but a clarification
will help (as an example, the paragraph right after the one I quote
above makes it abundantly clear that "these interactions" consist of
deriving identity information from untrusted certificates.)

Section 6.1.1

o If the identity signal does not include any other human readable
information about the identity of the certificate subject
(derived, e.g., from an augmented assurance certificate or a
petname), then it MUST include an applicable DNS name retrieved
from the subject's Common Name attribute or from a
subjectAltName extension.

The PKIX WGs view is that DNS names should not appear in the CN
but rather in the SAN extension. That said, it is the case that
existing certificates in use today for web traffic do carry a
DNS name in the CN attribute. To future proof this specification,
you may want to indicate that if a DNS name is not found in the
SAN (or if the SAN is empty) and there is a DNS name in the CN,
then the DNS name from the CN must be used.

Another aspect to consider is what happens if there are multiple
identities in the SAN? Some may be email identities and other
DNS identities. Any guidance on what the implementation should
do when faced with multiple identities in SAN would be helpful.
As a start, implementations should look for a DNS identity in
the SAN that matches the URI used to reach that resource, keeping
in mind wildcard matching (since this is apparently allowed in HTTP.)

Section 7.1.1
A trusted path can be established between a web user agent
and the user through the use of a secret shared between the
user and the agent.

Here, do you mean that a trusted path can be established between a web
*server* and user? When I read "web user agent", I automatically
think of the browser; but the discussion in Section 7.1.1 appears
to pertain to a web server, especially with references to phishing.
Or am I missing something?

That's it.

Thanks,

- vijay

Related issues: (space separated ids)

WG Notes: Blocks on possible changes to petnames text. Disccussed in: http://www.w3.org/2008/09/24-wsc-minutes.html editorial change not made - what's up? think the answer to san making it trusted is "yes" - asked. action 517 follow up. double check pinning - still in?

Resolution: In our latest editor's draft we have: - 5.1.2 nit fixed - thank you. - changed references from 3280 to 5280 - on your 5.1.2. OOB/OID question - we've updated the text to clarify. The OID may be in addition to specifying which are AA via an out of band mechanism. - on your 5.1.2 Subject field question - the subject must contain at least an org to be considered an AA certificate. If the subject was empty, the certificate would still be trusted, but not AA. - on 5.1.5 - We have decided not to specify how many times site has to present the same self-signed cert before being considered trusted. - 5.1.6 comment - we have removed the conformance language around petnames, though have kept it in the security considerations section, and added a better reference. - updated the 5.4.1 text to read: When certificate information is presented in the interactions described in this section, then human-readable information from certificates MUST NOT be presented as trustworthy unless it is attested to. E.g., a self-signed certificate's Common Name or Organization attribute must not be displayed, even if that certificate is pinned to a destination. Web user agents MAY display this information in a dialog and other secondary chrome reachable from the warning or error messages specified here. - Updated the 6.1.1 text to read: If the identity signal does not include any other human readable information about the identity of the certificate subject (derived, e.g., from an augmented assurance certificate), then it MUST include an applicable DNS name that matches either the subject's Common Name attribute or its subjectAltName extension. User agents MAY shorten such a DNS name by displaying only a suffix. - Removed the trusted path section.

(Please make sure the resolution is adapted for public consumption)