- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Tue, 10 Nov 2015 09:28:51 +0100
- To: public-webrtc@w3.org
Den 09. nov. 2015 07:21, skrev Martin Thomson: > On 8 November 2015 at 21:57, Philipp Hancke <fippo@andyet.net> wrote: >> Then what is >> http://w3c.github.io/webrtc-stats/#widl-RTCCertificateStats-issuerCertificateId >> for? It seems to allow traversing the chain in stats. Which will allow the >> application to determine at what level the certificate is trusted. > > That would seem to be in support of a fundamentally different model > for authentication. Has anyone actually proposed that model? > When we added this in stats, it was more or less on the principle of "if it's in the protocol exchange, we should expose it". One could imagine cases where the app would care about this and have the means to do something about it - for instance, a banking app could ship the exposed certs to a central verification site and verify them there, thus providing certificate transparency-like detection that "something fishy is going on" - the browser wouldn't be able to tell that something was wrong, but the application might. All that said - I see absolutely no reason to use a different type for the certificate in stats and the certificate in getRemoteCertificates. They should be the same. (And the base64 DOMString form in stats is already implemented.)
Received on Tuesday, 10 November 2015 08:29:30 UTC