Re: ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across Devices? [Techniques] from Ian Fette on 2007-10-15 (public-wsc-wg@w3.org from October 2007)

From: Ian Fette <ifette@google.com>
Date: Mon, 15 Oct 2007 12:59:25 -0700
To: "Serge Egelman" <egelman@cs.cmu.edu>
Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <bbeaa26f0710151259u69ec13a1ue5279b3bbc235ee9@mail.gmail.com>

Sorry... I read your response and didn't go back and re-read the original
email.

I think it would be great for IE on Mobile to be consistent with Desktop IE,
but the reality is that (or at least, I fear it is that) people use a
different browser on their desktop than on their mobile device. If you are
an iPhone user, you (probably) use Safari on your iPhone, but something else
on your PC (assuming you're not a mac user). if you are a Windows Mobile
user, you're (probably) using IE on your phone, but who knows what on the
desktop.

So, to get consistency, what you really need is a common set of root CAs
across not only platforms, but across browsers as well, and that's a huge
can of worms...

-Ian

On 10/15/07, Serge Egelman <egelman@cs.cmu.edu> wrote:
>
> Uhhh, this is just about trust anchors (e.g. root certificates), not the
> other proposals.
>
> serge
>
> Ian Fette wrote:
> > Provided that it makes sense for the context. i.e. half of these
> > recommendations I think would be nightmarish on a mobile device if you
> > just take the desktop implementation and tried to use it with mobile. I
> > think consistency is good, but "making sense" on the native platform is
> > certainly going to have to be higher priority if we are to expect
> adoption.
> >
> > On 10/15/07, *Serge Egelman* <egelman@cs.cmu.edu
> > <mailto:egelman@cs.cmu.edu>> wrote:
> >
> >
> >     I would certainly agree to this recommendation.
> >
> >     serge
> >
> >     Web Security Context Working Group Issue Tracker wrote:
> >     >
> >     > ISSUE-130 (Trust Anchors): Trust Anchor Consistency Across
> >     Devices? [Techniques]
> >     >
> >     > http://www.w3.org/2006/WSC/track/issues/
> >     >
> >     > Raised by: Luis Barriga
> >     > On product: Techniques
> >     >
> >     > At the f2f meeting I mentioned one of the findings on
> >     smart-phones: the pre-provisioned trust anchors in smartphones are
> >     disjoint from the ones in desktop browsers. The opposite is valid
> too.
> >     >
> >     > As a result, users visiting the one site on a smartphone and on a
> >     desktop browser will see TLS warnings that they has not seen
> >     previously when visiting the same site. (Trust is temporary
> unavailable)
> >     >
> >     > Shall we add a Deployment Best Practice 8.x section on "Trust
> >     Anchor Consistency across devices" that basically recommends browser
> >     vendors, phone manufacturers etc to have a consistent set of
> >     pre-provisioned trust anchors?
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> >     --
> >     /*
> >     Serge Egelman
> >
> >     PhD Candidate
> >     Vice President for External Affairs, Graduate Student Assembly
> >     Carnegie Mellon University
> >
> >     Legislative Concerns Chair
> >     National Association of Graduate-Professional Students
> >     */
> >
> >
>
> --
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>

Received on Monday, 15 October 2007 19:59:44 UTC