W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

[webappsec] "certificates differ" text in CORS

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 14 Sep 2012 23:12:32 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E265C08@DEN-EXDDA-S12.corp.ebay.com>
Hat="individual"

In the CORS spec, it currently states that the UA may terminate the algorithm if, e.g. "certificates differ".  I've fielded questions about this, and some investigation seems to have uncovered that this was intended to cover the case where a different certificate might be presented between the pre-flight request and actual request.  However, this is normal behavior for the web PKI, and I don't think it should be a reason to terminate, so long as both certificates are valid.

I think a clarification and better statement of proper behavior would be if "an invalid certificate is presented".  Since certificate warning dialogs are already extremely problematic for users even when they have the URL bar to compare against, an invalid certificate in a cross-domain context is probably impossible for most users to make a meaningful trust decision about and should simply result in a termination of the algorithm.

Thoughts?

Brad Hill
Received on Friday, 14 September 2012 23:13:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 September 2012 23:13:01 GMT