=JeffH wrote:
>
> > http://www.w3.org/TR/wsc-ui/ [WSC-UI]
>
> Which is entitled: "Web Security Context: User Interface Guidelines"
Thanks for providing this link !!
Section 5.1.4 here:
http://www.w3.org/TR/wsc-ui/#selfsignedcerts
is much closer what I this would be useful and sensible.
"Pinning" of certs is useful for both, certs that validate fine
and certs that do not validate for the two reasons "not trusted"
and "server-id-mismatch".
>
> Given all this, I suggest we change the last part of the last sentence of the
> "Security Note" quoted above to something like..
>
> ..., by forcing the user to view the entire certification path
> and only then allowing the user to choose whether to accept the
> certificate on a temporary or permanent basis. See [WSC-UI] for
> further guidance.
What is the idea behind visualizing the full chain?
I've seen the same in 5.1.4 of the WSC-UI document but there's
no rationale given and I can not think of one. If the purpose is
memorizing and "pinning" a server cert, there is no point in
visualizing the certificate chain.
Either there is no trust, then the chain can be crafted to look
like anything, or it is trusted, then -- well it is trusted and
there is no point (for Joe Average User) in looking at the chain,
because this chain has passed certificate path validation.
-Martin
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
