Closed mmccool closed 1 year ago
Note: if we can't change the assertion for procedural reasons, we could try adding informative text after the assertion saying that "certificates" is meant. However, "pre-shared keys" is not technically correct, since certificates are about identity, and then browsers negotiate session keys.
So one issue here is that changes to assertions should not impact implementations. Technically, use of TLS-PSK also requires certificates first, and then the PSK is added. So if this was interpreted as requiring use of TLS-PSK, then such implementations would also satisfy a technically weaker interpretation of only requiring certificates. We could also say "pre-shared keys or certificates" which would cover any implementors working on TLS-PSK but would allow additional implementations to satisfy the assertion while only using certificates.
However, note there are NO implementations of this assertion so far (the Dev Mtg slides previously said 1, but that was a cut-and-paste error, since fixed).
There is also another informative sentence immediately after this assertion that uses "key" that might be misinterpreted, so "credential" might be better here.
In section 10.5 Secure Transport -> Private Networks, there is another informative sentence that uses the phrase "pre-shared keys". We should update this to be more general, perhaps "pre-shared credentials" or maybe "pre-shared credentials such as certificates" (just "certificates" is not enough, there also need to be API keys or passwords or the like installed).
These informative changes would not have the same procedural challenges as changing the assertion.
No security call today (April 17) due to Hannover Fair, however I was thinking about this and it's maybe a bit too much to consider this change "editorial". Perhaps the best thing to do here is make this informative (it's at-risk, so that is acceptable) but better explain the various kinds of "security materials" that might be pre-installed (certificates, API keys, tokens, TLS-PSK pre-shared keys, etc).
Change the text of this assertion from
to
In the context of browsers, "certificates" is more accurate, and the use of the PSK term seems to imply TLS-PSK, which is not what was meant. The Security TF feels this does not change the intended meaning of the assertion, but because it's a change to the text of an assertion we may have to get approval.
NOTE: do NOT change the id of the assertion, at least in this release, to avoid disrupting testing.
NOTE: some alternatives are discussed below. Use of TLS-PSK implies use of certificates, actually. But certificates are the minimum requirement for using TLS.