W3C home > Mailing lists > Public > public-usable-authentication@w3.org > September 2010

WSC-UI: use cases for cert pinning

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 24 Sep 2010 16:39:27 -0700
Message-ID: <4C9D36AF.1080801@KingsMountain.com>
To: public-usable-authentication@w3.org
CC: Thomas Roessler <tlr@w3.org>
AFAICT, <http://www.w3.org/TR/wsc-ui/> [WSC-UI]  discusses cert "pinning" only 
in the case of self-signed certs, or certs whose cert chain that leads to an 
untrusted root certificate.

We're curious as to whether cert pinning in the face of subject name mismatch 
was considered as a use case, as well as in the face of other TLS/SSL cert 
errors, as apparently done by present browsers (for better or worse).

In other words, is it your conscious intention in WSC-UI to limit employment of 
cert pinning to only the discussed use cases, or were the other use cases 
overlooked?

I'm asking in the context of editing 
<http://tools.ietf.org/html/draft-saintandre-tls-server-id-check>, which is 
expressly about verification of cert-based server identity in TLS/SSL. In 
general. Our latest provisional language wrt this is..


 >       Security Note: Some existing interactive user agents give advanced
 >       users the option of proceeding despite an identity mismatch.
 >       Although this behavior can be appropriate in certain specialized
 >       circumstances, in general it needs to be exposed only to advanced
 >       users and even then needs to be handled with extreme caution, for
 >       example by first encouraging even an advanced user to terminate
 >       the connection and, if the advanced user chooses to proceed
 >       anyway, by forcing the user to view the entire certification path
 >       and only then allowing the user to choose whether to accept the
 >       certificate on a temporary or permanent basis.


We're considering how to reference WSC-UI here, but since this use-case 
apparently discussed in WSC-UI it's awkward.

thanks,

=JeffH
Received on Friday, 24 September 2010 23:46:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 24 September 2010 23:46:33 GMT