- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Sun, 8 Nov 2015 21:45:12 -0800
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: Bernard Aboba <Bernard.Aboba@microsoft.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 8 November 2015 at 15:42, Eric Rescorla <ekr@rtfm.com> wrote: >> The most typically suggested use of this method is to retrieve one or more >> certificates so as to be able to display information to the user. However, >> since it is up to the application what to do with the certificate(s), any >> information displayed to the user is potentially untrustworthy. For >> example, chain validation is a browser, not an application responsibility. > > > Actually, I'm not sure it is a browser responsibility, since there are lots > (most) cases where the peer certificate is unverifiable. At minimum you > would need a "verified" bit. I would have thought that we would error out if the certificate didn't match the a=fingerprint line. And we're certainly not building a chain of any sort. I always imagined this sort of API as being little better than a way of getting the fingerprint line that is in use, with a possibility of exposing more than that by DIY DER parsing. As a container for a public key, the rest of the cert isn't much use in the general case and any other case is likely to need specialized application logic.
Received on Monday, 9 November 2015 05:45:40 UTC