- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Thu, 28 Dec 2006 11:25:51 -0500
- To: <public-wsc-wg@w3.org>
The point about self signed certs that I was thinking about is that self-signed mechanisms do not have a "trusted" 3rd party involved. I feel that this places the burden of "trust" on the user, the user needs to verify that trust should continue to be extended and the user should be aware of this. Is this site still the same site that I trusted when I allowed it? Lacking a 3rd party to decline the connection the connection is made. I don't expect that users are going to remember to re-certify sites because I won't. I don't remember what sites I have configured to use self-signed certs unless I own it. For me, a browser with "grandma mode" that blocks sites with self-signed certs could be useful... Bill D. wdoyle@mitre.org -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of michael.mccormick@wellsfargo.com Sent: Thursday, December 28, 2006 1:11 AM To: public-wsc-wg@w3.org Subject: RE: Browser security warning Just a nit, but there's a subtle yet important distinction between a self-signed cert versus a cert issued by a self-signed root authority. My example was of the latter type. There are legitimate reasons to create one's own self-signed RCA, and there's no reason why it would necessarily be incapable of publishing a CRL and/or supporting OCSP. Mike -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill Sent: Wednesday, December 27, 2006 1:53 PM To: public-wsc-wg@w3.org Subject: RE: Browser security warning I feel that a self signed cert is a trust between the user and the site. The self signed cert may not be able to make use of programmatic mechanisms that support trust of a CA issued cert like CRLs. Continued trust of a site that uses a self-signed cert places the burden of trust on the user. Turning off security indicators (padlock - url color) is one way to remind the user to keep tabs on the site and to verify that trust should continue to be extended. It may also generate more calls to the sites help desk and maybe the site will buy a CA cert because it is less of a hassle than continued use of a self signed cert. If this happens this raises the level of security for all involved. I agree that self-signed certs should be viable, but because they may not be supported by programmatic mechanisms to revoke the cert they are not in the same category as a CA generated cert. Bill D. wdoyle@mitre.org -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Stephen Farrell Sent: Wednesday, December 27, 2006 12:21 PM To: Stuart E. Schechter Cc: public-wsc-wg@w3.org Subject: Re: Browser security warning Stuart E. Schechter wrote: > I don't think there is a large set of sites that can't afford a CA cert > (category 2) and actually require the security offered by HTTPS. I don't know of any evidence for that, but would be interested if there were some. (Technically, I could also quibble a bit with your statement, since we're discussing server-authentication, so I guess you meant an SSL-server cert above and HTTPS can also be used with D-H, without providing server authentication, though that doesn't get much use.) (At least in the developed world,) the point is not the actual amount, but whether or not to increase the existing bias towards getting people to pay commercial CAs for certs or not. Commercial CAs have their purpose, but should not IMO be required in order to create a perception of security for HTTP traffic. Sometimes they are appropriate, sometimes they just add a burden that arguably could cause less use of SSL - if its too much hassle to turn it on. > I think the safest default behavior for a browser that receives a > self-signed cert is to show an error page. The message should tell > the user to contact the site's administrator to ask them to fix the > problem. I don't agree that self-signed certs are a problem and would really not like to see such browser behaviour encouraged. The main point is that naively differentiating between a "secure" state (padlock) and an insecure one (no padlock) isn't very effective. I don't believe that changing from that binary approach to an N-ary one, where the N options map to TLS state-machine states will be any more effective. We need a subtler mix... S.
Received on Thursday, 28 December 2006 16:26:06 UTC