Re: [wpkops] Preliminary Next Version of Browser Behavior Draft
"Ben Wilson" <ben@digicert.com> Wed, 11 June 2014 02:41 UTC
Return-Path: <ben@digicert.com>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF701A0644 for <wpkops@ietfa.amsl.com>; Tue, 10 Jun 2014 19:41:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.952
X-Spam-Level:
X-Spam-Status: No, score=-4.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqpxO8zGpU_P for <wpkops@ietfa.amsl.com>; Tue, 10 Jun 2014 19:41:48 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 5CD591A063A for <wpkops@ietf.org>; Tue, 10 Jun 2014 19:41:48 -0700 (PDT)
Received: from BWILSONL1 (c-98-202-216-177.hsd1.ut.comcast.net [98.202.216.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 7AE347FA3F6; Tue, 10 Jun 2014 20:41:47 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1402454507; bh=OhxilSo/OQckYwCBaoTP+6UzLYHuac9hjTq0D2mBNXQ=; h=From:To:References:In-Reply-To:Subject:Date; b=kkXdFeeS9jgATD3oj0YRuktDuIFIkUmYLYsy6p7zfbN6GPV53zcGZT4VhFKlio5Ff 4lpXdczAyTUycBzV3zsCx+ofs1e8Yp/y+bjs2nKq3vxqXTol7oimqjklXxj3ENgY4H qOdakt837rrUm2QIiS6BGvBLOjtIhKnD9Ttz2EeE=
From: Ben Wilson <ben@digicert.com>
To: 'Rick Andrews' <Rick_Andrews@symantec.com>, wpkops@ietf.org
References: <001901cf6ec2$376461b0$a62d2510$@digicert.com> <059501cf79f0$69ba9060$3d2fb120$@digicert.com> <544B0DD62A64C1448B2DA253C011414607CC475E56@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607CC475E56@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Date: Tue, 10 Jun 2014 20:41:42 -0600
Message-ID: <00e901cf851e$ade87700$09b96500$@digicert.com>
X-Mailer: Microsoft Outlook 14.0
MIME-Version: 1.0
Thread-Index: AQHAGq9YUAUY845vOYYDLXX689oZPAIbE3NYAoEjYvibZSDHkA==
Content-Language: en-us
Content-Type: multipart/signed; boundary="----=_NextPart_000_00E1_01CF84EC.62BB15D0"; protocol="application/x-pkcs7-signature"; micalg="SHA1"
Archived-At: http://mailarchive.ietf.org/arch/msg/wpkops/iSQvHhRPNJNY8DQTTlT857mPKs8
Subject: Re: [wpkops] Preliminary Next Version of Browser Behavior Draft
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 02:41:55 -0000
Thanks, Rick. I can add more about the dynamic nature of some root stores to Section 2.1. In 2.2, I wasn't sure what to say because I didn't think I should speak for Mozilla, even though it's been explained to me that those responsible for NSS/Firefox prefer a click through failure because it may tend to alert the server administrator that there is a problem and they need to install a chain properly. In order to say that, I think someone needs to point me to an official statement of that rationale so that I can reference it officially. In 3.1 and beyond, I'll make those replacements of "should" like I did above in Section 2. In Section 3.4, I can tone down the security concerns a bit, but the problem is that the statements are true in a generic sense. Basically, I am trying to take advice from the last telephone call we had and hit the security concerns, e.g., "why do we care?" or, in other words, what is significant about each particular category of behavior, and why did PKIX frame the security design as such? Are you saying that because I do not reveal a specific zero-day threat that I've observed, I'm therefore precluded from mentioning how that latent vulnerability might be exploited? I can make it more clear that we're addressing the generic issues and not the specifics, if that helps. Thanks again for your review and comments-they do help - significantly. Cheers, Ben From: wpkops [mailto:wpkops-bounces@ietf.org] On Behalf Of Rick Andrews Sent: Tuesday, June 10, 2014 6:04 PM To: ben@digicert.com; wpkops@ietf.org Subject: Re: [wpkops] Preliminary Next Version of Browser Behavior Draft Ben, I reviewed what I think is the latest draft at https://tools.ietf.org/html/draft-wilson-wpkops-browser-processing-01, not the Word doc attached to the previous message. Section 2.1: Is it worth pointing out that root stores are not fixed? Not only can they be extended via automatic download (as you pointed out), but enterprises can add and remove roots (as often happens in Windows environments) and browser users can manually add or remove roots or modify trust bits. Document readers may not be aware of those other possibilities. Section 2.2: It might be helpful to readers to explain here why Firefox does not do "AIA chasing". In other words, they don't see it as a missing feature; they choose to fail on incomplete chains, and a case can be made as to why this behavior is preferable to the behavior of other browsers. Or do we just want to point out differences among browsers without trying to explain why those differences exist (where we understand why)? Section 3.1 The introduction says "This document reviews the current processing behaviors...", but this Section is full of "should"s. I suggest it needs to be rewritten to factually describe current behavior. Section 3.4 seems speculative and not descriptive of current browser behavior. Section 3.5 Header is not in bold. Section 4.3 Shouldn't say "browsers should" ;^) -Rick From: wpkops [mailto:wpkops-bounces@ietf.org] On Behalf Of Ben Wilson Sent: Tuesday, May 27, 2014 2:13 PM To: wpkops@ietf.org Subject: Re: [wpkops] Preliminary Next Version of Browser Behavior Draft Here is another draft with suggested changes from Santosh accepted, and the addition of "Security Considerations" subsections, based on our discussions of May 13th. From: wpkops [mailto:wpkops-bounces@ietf.org] On Behalf Of Ben Wilson Sent: Tuesday, May 13, 2014 9:44 AM To: wpkops@ietf.org Subject: [wpkops] Preliminary Next Version of Browser Behavior Draft Here is a first pass through the browser behavior document that I sent to Robin and Santosh yesterday.
- [wpkops] Preliminary Next Version of Browser Beha… Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … i-barreira
- Re: [wpkops] Preliminary Next Version of Browser … Gervase Markham
- Re: [wpkops] Preliminary Next Version of Browser … Tim Moses
- Re: [wpkops] Preliminary Next Version of Browser … Gervase Markham
- Re: [wpkops] Preliminary Next Version of Browser … Tim Moses
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … Tim Moses
- Re: [wpkops] Preliminary Next Version of Browser … i-barreira
- Re: [wpkops] Preliminary Next Version of Browser … i-barreira
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … i-barreira
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … Rick Andrews
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson
- Re: [wpkops] Preliminary Next Version of Browser … Stephen Kent
- Re: [wpkops] Preliminary Next Version of Browser … Ben Wilson