ISSUE-183

Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability

State:
CLOSED
Product:
wsc-xit
Raised by:
Yngve Pettersen
Opened on:
2008-02-07
Description:
If a client is able to automatically accept a Selfsigned Certificate, or recover from similar problem without user interaction, it MUST NOT do so unless the client also have a history mechanism about security information.

The reason for this is that if there is no information about the previous security state available, an attacker can exploit such automatic actions to stage a Man-In-the-Middle attack by replacing the original site's certificate.
Related Actions Items:
Related emails:
  1. Meeting record: 2008-05-14 (from tlr@w3.org on 2008-06-06)
  2. Meeting record: 2008-05-07 (from tlr@w3.org on 2008-06-06)
  3. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-21 (from egelman@cs.cmu.edu on 2008-05-21)
  4. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-21 (from tlr@w3.org on 2008-05-20)
  5. Agenda: WSC WG distributed meeting, Wednesday, 2008-05-21 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-20)
  6. Re: ISSUE-183, ISSUE-169 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-14)
  7. Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-14)
  8. Re: ISSUE-183, ISSUE-169 (from steele@adobe.com on 2008-05-12)
  9. Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from Anil.Saldhana@redhat.com on 2008-05-12)
  10. Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from Anil.Saldhana@redhat.com on 2008-05-11)
  11. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-07 (from hahnt@us.ibm.com on 2008-05-06)
  12. Agenda: WSC WG distributed meeting, Wednesday, 2008-05-07 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-06)
  13. WSC WG f2f May 2008 Agenda (v 1.0) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-02)
  14. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from tlr@w3.org on 2008-04-29)
  15. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from egelman@cs.cmu.edu on 2008-04-29)
  16. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from maritzaj@cs.columbia.edu on 2008-04-29)
  17. Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-04-29)
  18. ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from sysbot+tracker@w3.org on 2008-02-07)

Related notes:

ACTION-428 has added the text into XIT, section 5.1.5

Anil Saldhana, 11 May 2008, 21:20:45

Display change log ATOM feed

Mary Ellen Zurko <mzurko@us.ibm.com>, Chair, Thomas Roessler <tlr@w3.org>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 183.html,v 1.1 2010/10/11 09:35:10 dom Exp $