On Fri, 2010-09-24 at 12:32 -0700, =JeffH wrote: > [email protected] said: > > Separately, I wonder if it makes sense for server-id-check to > > specifically discuss the handling of certificates that don't match a > > reference identifier when the considerations are essentially the same > > for certificates with other problems (most commonly, expired or > > untrusted issuer) and, indeed, modern browsers tend to provide a single > > UI for these three most common problems. I'm not sure where would be > > the right place to standardize handling of bad certificates in general. > > There is a W3C document, but it only applies to interactive user agents: > > > > http://www.w3.org/TR/wsc-ui/ [WSC-UI] > > Which is entitled: "Web Security Context: User Interface Guidelines" > > Note that we already cite this doc (tho we need to update our cite because it > is now a Recommendation). > > In any case, this is a good catch, thanks. In reading WSC-UI, it appears to > overall address our needs for more full explanation of interactive user agent > behavior in error condition cases (although it doesn't differentiate between > "pinning" a cert temporarily vs permanently). > > Given all this, I suggest we change the last part of the last sentence of the > "Security Note" quoted above to something like.. > > ..., by forcing the user to view the entire certification path > and only then allowing the user to choose whether to accept the > certificate on a temporary or permanent basis. See [WSC-UI] for > further guidance. > > ..and leave it at that in -tls-server-id-check. We should also consider > making > [WSC-UI] a normative reference now that it is at Recommendation maturity > level.
OK. I suggest s/to choose whether //; the point is that the user accepts the certificate. Another issue with WSC-UI that I neglected to point out earlier: it only discusses pinning of certificates with untrusted issuers, so we should make explicit that we are recommending that the WSC-UI treatment of untrusted issuers be applied to name mismatches. And it's awkward to do that if the omission of pinning for name mismatches from WSC-UI was intentional (i.e., the authors thought it was a bad idea). Does anyone know if this is case? -- Matt _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
