[webappsec] "certificates differ" text in CORS from Hill, Brad on 2012-09-14 (public-webappsec@w3.org from September 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 14 Sep 2012 23:12:32 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E265C08@DEN-EXDDA-S12.corp.ebay.com>

Hat="individual"

In the CORS spec, it currently states that the UA may terminate the algorithm if, e.g. "certificates differ".  I've fielded questions about this, and some investigation seems to have uncovered that this was intended to cover the case where a different certificate might be presented between the pre-flight request and actual request.  However, this is normal behavior for the web PKI, and I don't think it should be a reason to terminate, so long as both certificates are valid.

I think a clarification and better statement of proper behavior would be if "an invalid certificate is presented".  Since certificate warning dialogs are already extremely problematic for users even when they have the URL bar to compare against, an invalid certificate in a cross-domain context is probably impossible for most users to make a meaningful trust decision about and should simply result in a termination of the algorithm.

Thoughts?

Brad Hill

Received on Friday, 14 September 2012 23:13:00 UTC