Inline From: Tim Moses <[email protected]> Date: Thursday, August 30, 2012 11:41 AM To: "[email protected]" <[email protected]> Subject: [wpkops] Second draft charter proposal
>Colleagues > I have updated the proposed charter to reflect the discussion (see >below). All the best. Tim. > >The Web PKI is the set of systems and procedures most commonly used to >protect the confidentiality, integrity and authenticity of communications >between Web browsers and Web content servers. It first appeared in 1993 >or thereabouts and has > developed continuously in a somewhat organic fashion since then. Across >all the suppliers and the point releases of their products, there are now >hundreds of variations on the Web PKI in regular use. And this can be a >source of problems both for end-users > and certificate issuers. > >For end-users, there is no clear view whether certificate "problems" >remain when they see indication of a "good" connection. For instance, in >some browsers, a "good" indication may be displayed when a "revoked" >response has been received and > "accepted" by the user. Whereas, other browsers may refuse to display >the contents under these circumstances. > > > > >And for issuers, it can be difficult to predict what proportion of the >user population will accept a certificate chain with certain >characteristics. For instance, when a browser includes a nonce in an >OCSP request but the server supplies a > response that does not include the nonce, it is hard to know which >browsers will accept and which will reject the response. > > > Is client authentication processing performed by web servers in scope? If not, explicitly push that out of scope. > > >Starting from the premise that more consistency in Web security behavior >is desirable, a natural first step would be to document current and >historic browser and server behavior. But, such a project has to be >bounded. Therefore, only behavior > encountered in more than 0.1 percent of connections made by desktop and >mobile browsers should be considered. While it is not intended to apply >the threshold with any precision, it may be used to justify the inclusion >or exclusion of a technique. > >Future activities may attempt to prescribe how the Web PKI "should" work, >and the prescription may turn out to be a proper subset of the PKIX PKI. >However, that task is explicitly not a goal of the proposed working >group. Instead, the group's > goal is merely to describe how the Web PKI "actually" works in the set >of browsers and servers that are in common use today. > > > Why are so many words quoted here and in the second paragraph? > > >Additionally, a number of applications (such as document signing, code >signing, and email) may use the same trust anchors and >certificate-handling libraries as the ones used by the Web. >Nevertheless, they may use the results in a way that > is visibly different from the way in which the Web uses them. >Therefore, these applications are explicitly out of scope for the working >group. > > > I'd like to see the charter include identification of overlap between the Web PKI and other applications as in scope. As written, it's not clear this information will be captured. Any BCP resulting from this effort can't ignore impact on other applications (even if those applications are not in scope for this effort). > > >Also, the reliability of the Web PKI depends critically on the practices >of its certificate issuers. However, the topic of practices is outside >the scope of the IETF. Therefore, this will be left to other competent >bodies. > >That there are technical shortcomings with Web PKI, as it is practiced >today, is well recognized. And, that there is also some urgency in >addressing these shortcomings is also well recognized. But, it is felt >that too much haste can be counter-productive. > The expectation is that the work of this group will bring to light, in a >systematic way, aspects of the Web PKI that should be progressed in >future working groups of the IETF's Security Area, and that suppliers >will be willing to participate in those working > groups and modify their products to comply with their standards. > >Given the urgency of the required developments and the scale of the task, >it is agreed that adherence to the published schedule should take >precedence over completeness of the results. > >Milestones >======== > >1. >First WG draft of "trust model" document (4 months). >2. >First WG draft of "certificate, CRL, and OCSP field and extension >processing" document (12 months). >3. >First WG draft of "Web-server / CA communications" document (4 months). >4. >First WG draft of "certificate revocation" document (8 months). >5. >First WG draft of "TLS stack operation" document (8 months). >6. >IESG submission of "trust model" document (16 months). >7. >IESG submission of "certificate, CRL, and OCSP field and extension >processing" document (24 months). >8. >IESG submission of "Web-server / CA communications" document (16 months). >9. >IESG submission of "certificate revocation" document (20 months). >10.IESG submission of "TLS stack operation" document (16 months). > > > >T: +1 613 270 3183 > > > > >_______________________________________________ >wpkops mailing list >[email protected]https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
