Noah: We had an email from Harry Halpin that kicked this off with
<noah> E-mail title: "The CA system is spectacularly broken - can
the TAG help?"
email sets out the history in which people have had certificates
issued fraudulently. We think security on the Web is hugely
important. So now what?
Thomas: https is a protocol that relies on a certain trust
framework That is working fine...
... you have at the protocol level, dependency on the CA system.
so what can be done to deal with that system?
one of the conversations going on in some quarters is about
perhaps modifying the distribution mechanisms for certs, create
channels that permit the holder of the domain name with the cert
authorities permitted to be used with it, etc...
another approach discussed is to use the DNS as a conveyance
mechanism for trust information. That could be reasonably sane given
<noah> Curious, when Thomas says that techniques are "being
discussed", does this mean formally in responsible groups in the
IETF, or just informally among concerned techies?
<Yves> formally in the IETF, at least for DNSSEC
. if the industry goes in that direction we get reduced attack
surface. Right now if I have a domain name registered in .com in US
and someone in Lux issues a cert for that domain, that cert is
the tactic of using DNSsec reduces the attack surface.
<noah> Can we get the name of the mailing list please?
DNSsec is an existing IETF standard. there is a working group
working on how to store certs. There is a possible BoF to discuss
additional [work] at next IETF.
the name of the mailing list is "the right key"
<Zakim> noah, you wanted to talk about https URI scheme and RFC 2818
Noah: we have been talking about protocols. It occurred to me that
this also relates to https URI scheme.
<noah> "If the hostname is available, the client MUST check it
<noah> server's identity as presented in the server's Certificate
<noah> in order to prevent man-in-the-middle attacks.
<jar> this doesn't say how to do the checking.
Noah: so - architecturally this is called out not just in the https
protocol but in the definition of the correct resolution of URI
identifiers using that scheme. There is a sense that the namespace
of https schemes is validated by the CA system.
Thomas: this an informational IRC.
Noah: It's pointed to by IANA...
Thomas: it's modifiable.
Noah: I think it has some force in practice.
Ashok: Question - several of the approaches use a third party cert
<noah> Noah is somewhat purplexed that RFC 2818 is the official
registration for one of the Web's most important URI schemes, but is
marked information. To a non-IETF wonk, this seems very, very
Thomas: all of these approaches [being discussed] at some point need
to establish a binding between the identifier and a cryptographic
key and some of them need to establish binding with a real life
identity. The way these schemes do this is to have a chain of
custody. DNS delegation - the key hierarchy that derives from dnssec
- could allow I myself to sign my own...
that is one approach. The other approach uses a third party that
is trusted. that is the traditional CA system.
Ashok: It turns out there are several possible solutions Do we have
to pick one? Or can we have a number of them that can be browser
specific or user -selected?
Thomas: If I want to reduce attack surface then I want to reduce the
mechanisms by which I can be attacked.
Users choosing authorities that they trust in real deployment is
usually a myth.
when have you last edited the list of CAs in your browser?
last year Jeff Jaffe asked us to highlight to him topics that we
felt might be threats to the Web. This will be on it.
beyond it the TAG has no plans to do anything other than discuss
today. Is there a way we can help?
Thomas: I was asking - is there something W3C can do to help? At
this particular juncture, I am trying to get a handle on what work
is in purview of W3C and what is in purview for IETF.
I think it's reasonable for the TAG to keep an eye on this topic.
Noah: Harry's note points to three specific proposals in the
he feels the right organizational structures aren't in place and
maybe it's time for w3c to move.
Thomas: Harry will collaborate on this with Wendy - one question in
this domain is to figure out what piece of this we [w3c] should
Noah: You as the domain lead have recommended that we keep an eye on
this. We are responding to a specific request from Harry. Maybe the
right thing is to publish the minutes and for me to take an action
to get back to Harry.
... Any objections?
<trackbot> Created ACTION-663 - Verify with Harry Halpin the TAG's
plan to "keep an eye" on CA issues, and solicit his and TLR's help
in keeping us informed Due: 2012-01-31 [on Noah Mendelsohn - due
<noah> ACTION-663 Due 2012-01-31
<trackbot> ACTION-663 Verify with Harry Halpin the TAG's plan to
"keep an eye" on CA issues, and solicit his and TLR's help in
keeping us informed Due: 2012-01-31 due date now 2012-01-31
Thomas: There are some ideas floating around [about workshops] the
conversation is about a possible BoF at Paris IETF meeting. I sent
an email to the TAG mailing list. I [encourage] you to follow that
<jar> maybe HH is worried that the browser folks aren't in good
communication with IETF?
Noah: Anyone willing to take a long-term action to watch for news in
... Thanks, Thomas.
Thomas: if we do a workshop it would be great to have someone from
the TAG on the program committee, for example.
Noah: Goal here is to look at this product page...
to come out agreeing to his or to a revision of it or [dropping
Henry: I have input from Larry and others which I have not
I would prefer to put this off.
Noah: unless others object I think we should.
[agreement to put off]
<noah> Adding note to ACTION-528: Per brief discussion on 19 January
2012, this will not be scheduled for discussion until Henry Thompson
integrates agreed changes from Larry Masinter, and others, as
recorded in minutes of F2F and earlier calls.
<trackbot> ACTION-528 -- Henry Thompson to create and get consensus
on a product page and tracker product page for persistence of names
-- due 2012-01-24 -- OPEN
<trackbot> ACTION-523 -- Ashok Malhotra to (with help from Noah)
build good product page for client storage finding, identifying top
questions to be answered on client side storage -- due 2012-01-17 --