ISSUE-103: Should unknown CAs and self-signed certificates be treated the same way? [Techniques] from Web Security Context Working Group Issue Tracker on 2007-08-12 (public-wsc-wg@w3.org from August 2007)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Sun, 12 Aug 2007 14:53:34 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20070812145334.3703B6B651@tibor.w3.org>

ISSUE-103: Should unknown CAs and self-signed certificates be treated the same way? [Techniques]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Thomas Roessler
On product: Techniques

Assuming that self-signed certificates are treated as pure containers, what should the treatment be for unknown CAs?

Choices include:

- Perform path validation and cause errors as one would for a known and
  trusted CA, but don't display identity indicator?  (This would effectively
  make the "weak" and "strong" TLS notions orthogonal to whether we trust a CA.)

- Ignore path validation and treat as pure containers for cryptographic material?

Received on Sunday, 12 August 2007 14:53:45 UTC