- From: Luis Barriga <luis.barriga@ericsson.com>
- Date: Mon, 15 Oct 2007 22:57:40 +0200
- To: "Serge Egelman" <egelman@cs.cmu.edu>, "Johnathan Nightingale" <johnath@mozilla.com>
- Cc: "Ian Fette" <ifette@google.com>, "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Well, it certainly makes sense intuitively, but reality doesn't. There is a related issue that I also discovered: Yahoo mail service protects login pages with TLS, but the corresponding mobile version doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs. "mobile.yahoo.com >> mail" (on a smartphone). Thus we need another (obvious?) recommendation on TLS consistency across devices? It probably makes sense to group all these consistency across-devices recommendations. Luis -----Original Message----- From: public-wsc-wg-request@w3.org on behalf of Serge Egelman Sent: Mon 2007-10-15 22:06 To: Johnathan Nightingale Cc: Ian Fette; Web Security Context Working Group WG Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] We should just say that CABForum is responsible for this :) serge Johnathan Nightingale wrote: > Yeah, but even with trust anchors there are things like certs with > multiple signing chains which not all pki stacks can handle, and there > are also plausible policy-based differences, like a user agent that > decided to only accept roots from CAs that offer service guarantees on > their OCSP servers. > > Don't get me wrong, I totally support including this as a Best Practice, > it falls under "just makes sense" for me - but I'm also happy it's a > best practice, not mandatory, normative language, since that would > probably make compliance with the spec unrealistic for some authors. > > Cheers, > > J > > On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: > >> >> Uhhh, this is just about trust anchors (e.g. root certificates), not the >> other proposals. >> >> serge >> >> Ian Fette wrote: >>> Provided that it makes sense for the context. i.e. half of these >>> recommendations I think would be nightmarish on a mobile device if you >>> just take the desktop implementation and tried to use it with mobile. I >>> think consistency is good, but "making sense" on the native platform is >>> certainly going to have to be higher priority if we are to expect >>> adoption. >>> >>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >>> <mailto:egelman@cs.cmu.edu>> wrote: >>> >>> >>> I would certainly agree to this recommendation. >>> >>> serge >>> >>> Web Security Context Working Group Issue Tracker wrote: >>>> >>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >>> Devices? [Techniques] >>>> >>>> http://www.w3.org/2006/WSC/track/issues/ >>>> >>>> Raised by: Luis Barriga >>>> On product: Techniques >>>> >>>> At the f2f meeting I mentioned one of the findings on >>> smart-phones: the pre-provisioned trust anchors in smartphones are >>> disjoint from the ones in desktop browsers. The opposite is valid >>> too. >>>> >>>> As a result, users visiting the one site on a smartphone and on a >>> desktop browser will see TLS warnings that they has not seen >>> previously when visiting the same site. (Trust is temporary >>> unavailable) >>>> >>>> Shall we add a Deployment Best Practice 8.x section on "Trust >>> Anchor Consistency across devices" that basically recommends browser >>> vendors, phone manufacturers etc to have a consistent set of >>> pre-provisioned trust anchors? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> /* >>> Serge Egelman >>> >>> PhD Candidate >>> Vice President for External Affairs, Graduate Student Assembly >>> Carnegie Mellon University >>> >>> Legislative Concerns Chair >>> National Association of Graduate-Professional Students >>> */ >>> >>> >> >> --/* >> Serge Egelman >> >> PhD Candidate >> Vice President for External Affairs, Graduate Student Assembly >> Carnegie Mellon University >> >> Legislative Concerns Chair >> National Association of Graduate-Professional Students >> */ >> > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 15 October 2007 21:00:50 UTC