W3C home > Mailing lists > Public > public-wsc-wg@w3.org > February 2008

ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit]

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 7 Feb 2008 00:27:12 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20080207002713.0201B6B5EA@tibor.w3.org>


ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Yngve Pettersen
On product: wsc-xit

If a client is able to automatically accept a Selfsigned Certificate, or recover from similar problem without user interaction, it MUST NOT do so unless the client also have a history mechanism about security information.

The reason for this is that if there is no information about the previous security state available, an attacker can exploit such automatic actions to stage a Man-In-the-Middle attack by replacing the original site's certificate.
Received on Thursday, 7 February 2008 00:27:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 February 2008 00:27:25 GMT