Re: SSL error anti patterns from Yngve Nysaeter Pettersen on 2007-05-02 (public-wsc-wg@w3.org from May 2007)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Wed, 02 May 2007 19:43:26 +0200
To: michael.mccormick@wellsfargo.com, Mary_Ellen_Zurko@notesdev.ibm.com
Cc: public-wsc-wg@w3.org
Message-ID: <op.trpniodvvqd7e2@killashandra-ii.oslo.opera.com>

Hello all,

I am not quite sure if this fits into the anti-pattern discussion but it  
may be relevant.

I occasionally have to deal with a particular type of homemade  
certificates.

The certificate chain contain at least two certificates, but two of them  
(A and B) have the same Distinguished Name (X) as Issuer and Subject, but  
have different public keys (K_A and K_B), and one of them was used to sign  
the other (that is, Cert_A have Subject X and  Issuer X, Key K_A, and is  
signed by K_B from Cert_B, Cert_B have Subject X and key K_B, Cert B is  
usually selfsigned, but might be part of a longer chain). There is no  
Authority Key Identifier extension.

That means that as far as the certificate validation (in Opera, at least)  
is concerned the lowermost certificate (Cert_A) is selfsigned, but the  
signature does not verify.

Opera treats this certificate as a signature verification failure and  
issues a fatal TLS error (code 42, "Bad certificate") and refuses to  
access the site, but other clients treat this is as an Unknown CA and asks  
the user.

One live example (currently) is <URL: https://proj.koios.de/ >

Any opinions on this particular scenario, and how it should be handled?

On Tue, 24 Apr 2007 00:41:17 +0200, <michael.mccormick@wellsfargo.com>  
wrote:

> It appears ACTION-182 stems from my Lightning Discussion on 4 April  
> about the cryptic IE6 browser errors that I received when I encountered  
> a self-signed SSL certificate at the www.x9.org web site.  According to  
> my notes, as well as the official meeting notes from Thomas, we had a  
> lively discussion about the security anti patterns implied by such  
> browser error messages.  In particular I captured the following possible  
> anti patterns in my notes:
>
> 1. Use of technical jargon containing terms with which the average  
> layperson is not familiar.
> 2. Providing a web site's URL as the only contact info for it. (creates  
> "catch-22" dilemma for user)
> 3. Actions suggested can't really be carried out.
> 4. Consequences or risks of user actions not explained.
> These are the [anti-]recommendations I propose we adopt.  Anticipating  
> comment, I haven't yet updated the wiki.  Cheers Mike

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer		             Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Wednesday, 2 May 2007 17:47:37 UTC