[cabfpub] eIDAS meeting presentations

Ryan Sleevi sleevi at google.com
Fri Apr 1 15:26:15 MST 2016


On Fri, Apr 1, 2016 at 3:19 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> I think what the presenter had in mind were “hooks” into the trust store
> such that an alternate trust source (i.e. eIDAS Trust List) could be
> selected by a user. I believe Ryan said this type of “hook” exposes the
> browser to potential malicious intent.  One question I had (and I really
> don’t know how this works) is that I know Microsoft provides the
> capabilities for Enterprises to add or push roots out to users in their
> groups. Perhaps Dr. Poesch had that in mind when he was brainstorming his
> hook idea.
>
>
>

Given that such features are Enterprise-only (group policy managed), I
think that's unlikely, since the goal of eIDAS is consumer-facing. That is,
I don't think you want every citizen needing to join a federated European
Active Directory deployment ;)

That said, even those feature have been abused. For example, Applications
targeting Android API Level 24 (Android N) will no longer respect
enterprise-pushed roots unless each individual developer individually opts
in. This is covered in the Android N preview notes at
https://developer.android.com/intl/es/preview/features/security-config.html

Unless an application opts in, the installation of a root certificate (or,
in this case, an EU TL), is NOT sufficient to allow access to sites using
those certs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160401/3cbb5927/attachment.html 


More information about the Public mailing list