ISSUE-183
Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability
- State:
- CLOSED
- Product:
- wsc-xit
- Raised by:
- Yngve Pettersen
- Opened on:
- 2008-02-07
- Description:
- If a client is able to automatically accept a Selfsigned Certificate, or recover from similar problem without user interaction, it MUST NOT do so unless the client also have a history mechanism about security information.
The reason for this is that if there is no information about the previous security state available, an attacker can exploit such automatic actions to stage a Man-In-the-Middle attack by replacing the original site's certificate. - Related Actions Items:
ACTION-428 on Anil Saldhana to Incorporate ISSUE-183 def to spec - due 2008-05-29, closed- Related emails:
- Meeting record: 2008-05-14 (from tlr@w3.org on 2008-06-06)
- Meeting record: 2008-05-07 (from tlr@w3.org on 2008-06-06)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-21 (from egelman@cs.cmu.edu on 2008-05-21)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-21 (from tlr@w3.org on 2008-05-20)
- Agenda: WSC WG distributed meeting, Wednesday, 2008-05-21 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-20)
- Re: ISSUE-183, ISSUE-169 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-14)
- Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-14)
- Re: ISSUE-183, ISSUE-169 (from steele@adobe.com on 2008-05-12)
- Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from Anil.Saldhana@redhat.com on 2008-05-12)
- Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from Anil.Saldhana@redhat.com on 2008-05-11)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-07 (from hahnt@us.ibm.com on 2008-05-06)
- Agenda: WSC WG distributed meeting, Wednesday, 2008-05-07 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-06)
- WSC WG f2f May 2008 Agenda (v 1.0) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-02)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from tlr@w3.org on 2008-04-29)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from egelman@cs.cmu.edu on 2008-04-29)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from maritzaj@cs.columbia.edu on 2008-04-29)
- Agenda: WSC WG distributed meeting, Wednesday, 2008-04-30 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-04-29)
- ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] (from sysbot+tracker@w3.org on 2008-02-07)
Related notes:
ACTION-428 has added the text into XIT, section 5.1.5
Anil Saldhana, 11 May 2008, 21:20:45Display change log