- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Mon, 15 Oct 2007 16:00:23 -0400
- To: Serge Egelman <egelman@cs.cmu.edu>
- Cc: Ian Fette <ifette@google.com>, Web Security Context Working Group WG <public-wsc-wg@w3.org>
Yeah, but even with trust anchors there are things like certs with multiple signing chains which not all pki stacks can handle, and there are also plausible policy-based differences, like a user agent that decided to only accept roots from CAs that offer service guarantees on their OCSP servers. Don't get me wrong, I totally support including this as a Best Practice, it falls under "just makes sense" for me - but I'm also happy it's a best practice, not mandatory, normative language, since that would probably make compliance with the spec unrealistic for some authors. Cheers, J On 15-Oct-07, at 3:51 PM, Serge Egelman wrote: > > Uhhh, this is just about trust anchors (e.g. root certificates), > not the > other proposals. > > serge > > Ian Fette wrote: >> Provided that it makes sense for the context. i.e. half of these >> recommendations I think would be nightmarish on a mobile device if >> you >> just take the desktop implementation and tried to use it with >> mobile. I >> think consistency is good, but "making sense" on the native >> platform is >> certainly going to have to be higher priority if we are to expect >> adoption. >> >> On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu >> <mailto:egelman@cs.cmu.edu>> wrote: >> >> >> I would certainly agree to this recommendation. >> >> serge >> >> Web Security Context Working Group Issue Tracker wrote: >>> >>> ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across >> Devices? [Techniques] >>> >>> http://www.w3.org/2006/WSC/track/issues/ >>> >>> Raised by: Luis Barriga >>> On product: Techniques >>> >>> At the f2f meeting I mentioned one of the findings on >> smart-phones: the pre-provisioned trust anchors in smartphones >> are >> disjoint from the ones in desktop browsers. The opposite is >> valid too. >>> >>> As a result, users visiting the one site on a smartphone and on a >> desktop browser will see TLS warnings that they has not seen >> previously when visiting the same site. (Trust is temporary >> unavailable) >>> >>> Shall we add a Deployment Best Practice 8.x section on "Trust >> Anchor Consistency across devices" that basically recommends >> browser >> vendors, phone manufacturers etc to have a consistent set of >> pre-provisioned trust anchors? >>> >>> >>> >>> >>> >>> >>> >> >> -- >> /* >> Serge Egelman >> >> PhD Candidate >> Vice President for External Affairs, Graduate Student Assembly >> Carnegie Mellon University >> >> Legislative Concerns Chair >> National Association of Graduate-Professional Students >> */ >> >> > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ > --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Monday, 15 October 2007 20:00:41 UTC