Dear members,
After preliminary discussions with Tim Moses and Sharon Boeyen, we were
asked to send our ideas through the mail list of the WG. Hopefully, that
would be useful for the WG.
By reading the charter of your WG, we realize that the objective is to
describe how things are today with Web PKIs, and this from the
perspectives of relying parties, certificate holders, CAs and browsers.
We have checked also your latest Trust models of the Web PKI draft
(draft-moses-webpki-trustmodel-00).
In our view, describing how things are today can be done at two levels:
·Trust level: at this level the WG can bring answers to different questions:
oWhat is the main conceptual trust model in the Web and why it is
different from the one in the closed PKI deployment model? The current
version of the draft gives only different instances of that model
without any further explanation. In previous research works, we have
clarified this issue by introducing a new trust model called the "four
cornered trust model". In this model we have introduced a new role
called the "Trust Broker" who will help RPs to make informed decisions
about certificates. Our proposal has been accepted in the working draft
of the standard X.509.
oWhat does it mean the concepts of Trust, Trust in CAs and Trust in a
Certificate?
oHow different countries regularize their PKIs (i.e. exclusive
governmental CAs or commercial CAs or both of them)
oWhat are the different policies adopted by web browsers to include CAs
in their list?
oWhat is the liability of web browsers to RPs concerning the
recommendations they provide to RPs?
·Technical level: this concerns principally the certificate validation
process of Web browsers. In 2008, we have made a study that has
identified the differences between browsers about that issue. We have
shown that web browsers have different behaviors for the same
certificate. We have given also the main reasons for this issue. For
more information you can read this paper (/Which Web Browsers Process
SSL Certificates in a Standardized Way?/ In : /IFIP TC-11 International
Information Security Conference (IFIP SEC 2009)/, /Cyprus/,
/18/05/09-20/05/09)./
We are looking forward to hear your comments.
Best Regards
Samer Wazan
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
