Some of us are working on an Internet Draft titled, "Browser processing of server certificates".
Here are some draft definitions for terms that I think we'll be using:
Bypassable error - A behavior in which the browser detects an abnormal
condition and asks the user whether to proceed with (i.e. click-through to)
the SSL/TLS connection.
Fatal error -- A behavior in which the browser detects an abnormal
condition and halts (or technically cannot complete) session negotiation and
drops the connection or otherwise blocks the user from continuing (also
referred to as "hard fail").
Name mismatch - A condition detected by a browser in which no name in the
common name or subject alternative name for the subject in the certificate
matches the hostname sought by the client (i.e. the client's reference
identity - usually a Fully Qualified Domain Name - is not in the
certificate).
Pinned - A condition in which the association between two or more aspects of
the entity-public-key relationship (e.g. server name, public key, CA,
certificate) are configured and set in the browser before initiation of a
TCP connection.
Stapled - A condition in which information related to the server's
certificate (e.g. OCSP response) is delivered by the server to the client as
part of the SSL/TLS handshake, and not by direct communication with the
issuing CA.
Visual indicator - A behavior in which the browser changes the color(s)
and/or intensity of pixels on a screen in the browser chrome to indicate a
changed condition.
Wildcard character - An asterisk - * (Unicode 2A).
We're welcome to ideas on how to fine-tune them. I'd prefer that they be
broad enough to include lots of uses-leaving clarification for their
particular use for description in the text.
Additional definitions might include: "browser chrome", warning, dialog
box, blacklist, and whitelist-but at this point I don't think they need to
be defined. I'm mainly interested in defining special terms used in
describing a type of condition or behavior. Otherwise, we'll have
disagreement over whether the condition and treatment are comparable among
browsers.
What words are missing above that might help make it easier to discuss this
topic?
And for a little fun, try to figure out which conditions triggered the
following responses/behaviors:
Apple - 379 - "This certificate is not in the trusted root database."
Apple - 322 - "This certificate was signed by an untrusted issuer"
Apple - 5 - "Certificate signed by unknown certifying authority"
Windows - 3294 - "The issuer of this certificate could not be found."
Windows - 3296 - "This CA Root certificate is not trusted because it is
not in the Trusted Root Certification Authorities store."
Windows - 3298, 3339, 3343 - "CA not trusted or authorized to issue
certificate"
Windows - 3331 - "This CA Root certificate is not trusted. To enable trust,
install this certificate in the Trusted Root Certification Authorities
store."
NSS - 12195 SSL_ERROR_UNKNOWN_CA_ALERT - "Peer does not recognize and trust
the CA that issued your certificate."
Opera - 2104370139 - "The root certificate from "%1" is not known to
Opera. Opera cannot decide if this certificate can be trusted."
Opera - 1490416928 - "The presented certificate has an unknown Certificate
Authority."
Opera - 1023477417 - "The certificate is not signed by a trusted authority."
Google - /* ERR_UNKNOWN_CA */ { "Unknown Certificate issuer!", USER},
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
