On Sun, Nov 8, 2015 at 3:27 PM, Bernard Aboba <Bernard.Aboba@microsoft.com> wrote: > Dontcallmedom said: > > > > “The spec is silent about the content of the array buffers returned by > getRemoteCertificates()” > > > > [Martin] Well, ArrayBuffer is (probably) the DER-encoded end-entity > certificate. That's pretty useful if you have a DER decoder I guess. > > > > [BA] It's getRemoteCertificates(), which would seem to imply that more > than one certificate can be returned. So we could be potentially talking > about a certificate chain (e.g. encountered by a browser contacting a > contact center gateway). > > > > The most typically suggested use of this method is to retrieve one or more > certificates so as to be able to display information to the user. However, > since it is up to the application what to do with the certificate(s), any > information displayed to the user is potentially untrustworthy. For > example, chain validation is a browser, not an application responsibility. > Actually, I'm not sure it is a browser responsibility, since there are lots (most) cases where the peer certificate is unverifiable. At minimum you would need a "verified" bit. -Ekr
Received on Sunday, 8 November 2015 23:43:18 UTC