<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Calibri">+1<br>
<br>
</font><br>
<div class="moz-cite-prefix">Il 11/03/2015 19:29, Rick Andrews ha
scritto:<br>
</div>
<blockquote
cite="mid:544B0DD62A64C1448B2DA253C01141460BD600159C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<font face="Calibri, sans-serif" size="2">
<div>I made this request to the browser vendors in the
Face-to-Face meeting today:</div>
<div> </div>
<div>Browsers have been making a lot of security-related UI
changes lately. Sometimes they’re related to the certificate,
or the certificate chain. Those are relatively easy to figure
out. Browser vendors have indicated that they will also
degrade security
UI based on connection-related properties like negotiated
ciphersuite or session key size. Those will be more difficult
to figure out.</div>
<div><font face="Calibri, sans-serif"> </font></div>
<div>Some browsers may begin degrading UI based on properties
related not just to the main connection (that retrieves the
requested page) but to all the other connections that retrieve
subordinate resources (like scripts, images, etc.). I’m
concerned that it
will be extremely difficult for the end user to figure out
that out of the many connections needed to build a page, one
single connection to fetch an ad or to include some web
analytics violated some requirement and caused the EV
treatment to disappear, for
example.</div>
<div><font face="Calibri, sans-serif"> </font></div>
<div>In many such cases, customers turn to the CA for support,
and and we’re finding it increasingly difficult to determine
why a particular security-related UI is displayed. I’ve asked
the major browser vendors to help by writing some relevant
information
to their debug log. It’s fine if the CA or the customer needs
to run the browser in debug mode, or launch the Web or
Developer Console, as long as we’re able to drill down and
find something like “EV treatment removed for site [s] because
[x] happened on connection
to [y]”, or “Security warning shown because SHA-1 present in
cert chain”.</div>
<div><font face="Calibri, sans-serif"> </font></div>
<div>If the browser vendors reply to the public list with
detailed instructions, I’ll collect all the info on the CAB
Forum wiki. Thanks,</div>
<div><font face="Calibri, sans-serif"> </font></div>
<div>-Rick</div>
<div><font face="Calibri, sans-serif"> </font></div>
</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>