RE: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques]

• From: Luis Barriga <luis.barriga@ericsson.com>
• Date: Tue, 16 Oct 2007 14:57:24 +0200
• To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Serge Egelman" <egelman@cs.cmu.edu>, "Johnathan Nightingale" <johnath@mozilla.com>, "Ian Fette" <ifette@google.com>
• Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
• Message-ID: <1C6A13C92F510849B72272A71F9F3BCB01FA8275@esealmw105.eemea.ericsson.se>

I see short-, medium- and long-term recommendations to achieve overall
trust and security consistency across devices involving warnings, TLS
and anchors.

Short-term: there is a need to identify those use cases (if any) where
warnings are obviously not needed at all. The UA can then *reduce* their
amount. (*eliminating* them with current infras and practices is not
feasible)

For example, if I start at a login site with self-signed cert (SSC) or a
Unknown Trust Anchor (UTA), and I accept the very first *active*
warning, why should I keep getting the warning again for each
redirection that doesn't change the security level (except for the same
SSC or UTA). Does anyone see an attack vector here?

Medium-term recs include those targetted to web site authoring and
deployment folks so that they enforce TLS consistency across devices.
(see Yahoo use case below)

Long-term recs are having some common common Trust-Anchors and/or a
(IETF) protocol.

Luis 

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Stephen Farrell
Sent: den 15 oktober 2007 23:47
To: Luis Barriga
Cc: Serge Egelman; Johnathan Nightingale; Ian Fette; Web Security
Context Working Group WG
Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
Devices? [Techniques]



Well, we may need to be careful - people have paid large piles of money
to get roots included (unless sanity's gotten contagious since I last
looked, which'd be nice).

Could be all sorts of problems with trying to unify that list across
browsers, or with asking one private-members club to maintain the list,
much as it seems to make sense.

If a trust anchor management protocol does come into being, that'd
provide a more broadly applicable answer.

I think the idea of commensurate security across different devices for
the same service, really does make a lot of sense.
(Good catch.)

S.

Serge Egelman wrote:
> Yeah, I agree completely.  I guess what I meant was, when determining 
> which trust anchors to use in a given browser, we should recommend 
> that CABForum maintains this set of certificates.  But that'll just be

> one of many recommendations in this area.  Obviously using the same 
> certificate on the same website across different platforms would be
another one.
> 
> serge
> 
> Luis Barriga wrote:
>> Well, it certainly makes sense intuitively, but reality doesn't.
>>
>> There is a related issue that I also discovered: Yahoo mail service
protects login pages with TLS, but the corresponding mobile version
doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs.
"mobile.yahoo.com >> mail" (on a smartphone).
>>
>> Thus we need another (obvious?) recommendation on TLS consistency
across devices?
>>
>> It probably makes sense to group all these consistency across-devices
recommendations.
>>
>> Luis
>>
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman
>> Sent: Mon 2007-10-15 22:06
>> To: Johnathan Nightingale
>> Cc: Ian Fette; Web Security Context Working Group WG
>> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency
Across Devices?   [Techniques]
>>  
>>
>> We should just say that CABForum is responsible for this :)
>>
>> serge
>>
>> Johnathan Nightingale wrote:
>>> Yeah, but even with trust anchors there are things like certs with 
>>> multiple signing chains which not all pki stacks can handle, and 
>>> there are also plausible policy-based differences, like a user agent

>>> that decided to only accept roots from CAs that offer service 
>>> guarantees on their OCSP servers.
>>>
>>> Don't get me wrong, I totally support including this as a Best 
>>> Practice, it falls under "just makes sense" for me - but I'm also 
>>> happy it's a best practice, not mandatory, normative language, since

>>> that would probably make compliance with the spec unrealistic for
some authors.
>>>
>>> Cheers,
>>>
>>> J
>>>
>>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote:
>>>
>>>> Uhhh, this is just about trust anchors (e.g. root certificates), 
>>>> not the other proposals.
>>>>
>>>> serge
>>>>
>>>> Ian Fette wrote:
>>>>> Provided that it makes sense for the context. i.e. half of these 
>>>>> recommendations I think would be nightmarish on a mobile device if

>>>>> you just take the desktop implementation and tried to use it with 
>>>>> mobile. I think consistency is good, but "making sense" on the 
>>>>> native platform is certainly going to have to be higher priority 
>>>>> if we are to expect adoption.
>>>>>
>>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu 
>>>>> <mailto:egelman@cs.cmu.edu>> wrote:
>>>>>
>>>>>
>>>>>     I would certainly agree to this recommendation.
>>>>>
>>>>>     serge
>>>>>
>>>>>     Web Security Context Working Group Issue Tracker wrote:
>>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
>>>>>     Devices? [Techniques]
>>>>>> http://www.w3.org/2006/WSC/track/issues/
>>>>>>
>>>>>> Raised by: Luis Barriga
>>>>>> On product: Techniques
>>>>>>
>>>>>> At the f2f meeting I mentioned one of the findings on
>>>>>     smart-phones: the pre-provisioned trust anchors in smartphones
are
>>>>>     disjoint from the ones in desktop browsers. The opposite is 
>>>>> valid too.
>>>>>> As a result, users visiting the one site on a smartphone and on a
>>>>>     desktop browser will see TLS warnings that they has not seen
>>>>>     previously when visiting the same site. (Trust is temporary
>>>>> unavailable)
>>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust
>>>>>     Anchor Consistency across devices" that basically recommends
browser
>>>>>     vendors, phone manufacturers etc to have a consistent set of
>>>>>     pre-provisioned trust anchors?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>     --
>>>>>     /*
>>>>>     Serge Egelman
>>>>>
>>>>>     PhD Candidate
>>>>>     Vice President for External Affairs, Graduate Student Assembly
>>>>>     Carnegie Mellon University
>>>>>
>>>>>     Legislative Concerns Chair
>>>>>     National Association of Graduate-Professional Students
>>>>>     */
>>>>>
>>>>>
>>>> --/*
>>>> Serge Egelman
>>>>
>>>> PhD Candidate
>>>> Vice President for External Affairs, Graduate Student Assembly 
>>>> Carnegie Mellon University
>>>>
>>>> Legislative Concerns Chair
>>>> National Association of Graduate-Professional Students */
>>>>
>>> ---
>>> Johnathan Nightingale
>>> Human Shield
>>> johnath@mozilla.com
>>>
>>>
>>>
> 

Received on Tuesday, 16 October 2007 12:57:35 UTC