- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 15 Oct 2007 22:47:14 +0100
- To: Luis Barriga <luis.barriga@ericsson.com>
- CC: Serge Egelman <egelman@cs.cmu.edu>, Johnathan Nightingale <johnath@mozilla.com>, Ian Fette <ifette@google.com>, Web Security Context Working Group WG <public-wsc-wg@w3.org>
Well, we may need to be careful - people have paid large piles of money to get roots included (unless sanity's gotten contagious since I last looked, which'd be nice). Could be all sorts of problems with trying to unify that list across browsers, or with asking one private-members club to maintain the list, much as it seems to make sense. If a trust anchor management protocol does come into being, that'd provide a more broadly applicable answer. I think the idea of commensurate security across different devices for the same service, really does make a lot of sense. (Good catch.) S. Serge Egelman wrote: > Yeah, I agree completely. I guess what I meant was, when determining > which trust anchors to use in a given browser, we should recommend that > CABForum maintains this set of certificates. But that'll just be one of > many recommendations in this area. Obviously using the same certificate > on the same website across different platforms would be another one. > > serge > > Luis Barriga wrote: >> Well, it certainly makes sense intuitively, but reality doesn't. >> >> There is a related issue that I also discovered: Yahoo mail service protects login pages with TLS, but the corresponding mobile version doesn't. Check it yourself: mail.yahoo.com (on a desktop) vs. "mobile.yahoo.com >> mail" (on a smartphone). >> >> Thus we need another (obvious?) recommendation on TLS consistency across devices? >> >> It probably makes sense to group all these consistency across-devices recommendations. >> >> Luis >> >> -----Original Message----- >> From: public-wsc-wg-request@w3.org on behalf of Serge Egelman >> Sent: Mon 2007-10-15 22:06 >> To: Johnathan Nightingale >> Cc: Ian Fette; Web Security Context Working Group WG >> Subject: Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] >> >> >> We should just say that CABForum is responsible for this :) >> >> serge >> >> Johnathan Nightingale wrote: >>> Yeah, but even with trust anchors there are things like certs with >>> multiple signing chains which not all pki stacks can handle, and there >>> are also plausible policy-based differences, like a user agent that >>> decided to only accept roots from CAs that offer service guarantees on >>> their OCSP servers. >>> >>> Don't get me wrong, I totally support including this as a Best Practice, >>> it falls under "just makes sense" for me - but I'm also happy it's a >>> best practice, not mandatory, normative language, since that would >>> probably make compliance with the spec unrealistic for some authors. >>> >>> Cheers, >>> >>> J >>> >>> On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: >>> >>>> Uhhh, this is just about trust anchors (e.g. root certificates), not the >>>> other proposals. >>>> >>>> serge >>>> >>>> Ian Fette wrote: >>>>> Provided that it makes sense for the context. i.e. half of these >>>>> recommendations I think would be nightmarish on a mobile device if you >>>>> just take the desktop implementation and tried to use it with mobile. I >>>>> think consistency is good, but "making sense" on the native platform is >>>>> certainly going to have to be higher priority if we are to expect >>>>> adoption. >>>>> >>>>> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >>>>> <mailto:egelman@cs.cmu.edu>> wrote: >>>>> >>>>> >>>>> I would certainly agree to this recommendation. >>>>> >>>>> serge >>>>> >>>>> Web Security Context Working Group Issue Tracker wrote: >>>>>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >>>>> Devices? [Techniques] >>>>>> http://www.w3.org/2006/WSC/track/issues/ >>>>>> >>>>>> Raised by: Luis Barriga >>>>>> On product: Techniques >>>>>> >>>>>> At the f2f meeting I mentioned one of the findings on >>>>> smart-phones: the pre-provisioned trust anchors in smartphones are >>>>> disjoint from the ones in desktop browsers. The opposite is valid >>>>> too. >>>>>> As a result, users visiting the one site on a smartphone and on a >>>>> desktop browser will see TLS warnings that they has not seen >>>>> previously when visiting the same site. (Trust is temporary >>>>> unavailable) >>>>>> Shall we add a Deployment Best Practice 8.x section on "Trust >>>>> Anchor Consistency across devices" that basically recommends browser >>>>> vendors, phone manufacturers etc to have a consistent set of >>>>> pre-provisioned trust anchors? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> /* >>>>> Serge Egelman >>>>> >>>>> PhD Candidate >>>>> Vice President for External Affairs, Graduate Student Assembly >>>>> Carnegie Mellon University >>>>> >>>>> Legislative Concerns Chair >>>>> National Association of Graduate-Professional Students >>>>> */ >>>>> >>>>> >>>> --/* >>>> Serge Egelman >>>> >>>> PhD Candidate >>>> Vice President for External Affairs, Graduate Student Assembly >>>> Carnegie Mellon University >>>> >>>> Legislative Concerns Chair >>>> National Association of Graduate-Professional Students >>>> */ >>>> >>> --- >>> Johnathan Nightingale >>> Human Shield >>> johnath@mozilla.com >>> >>> >>> >
Received on Monday, 15 October 2007 21:47:30 UTC