ACTION-427: validated vs self-signed certificates

Joe,

on our 7 May call, you raised the issue that, technically, a locally
configured trust anchor can indeed be shown by a Web server during
TLS interactions.  Therefore, our use of "self-signed certificate"
is, strictly speaking, inexact -- the determining quality for
browser behavior is really that the certificate at the top of the
chain isn't trusted, not the length of the chain.

I've tried to cure this deficit by making the following changes:

1. In 5.1.3 Validated Certificates [1], change the text that
excludes self-signed certificates (even when pinned), to make clear
that pinning does not cause a certificate to suddenly be validated,
without ruling out self-signed, validated certificates in the first
place.

That section now reads as follows:

>The term [Definition: validated certificate ] is used to denote a
>public key certificate that has been verified by chaining up to a
>locally configured trust anchor. The set of trust anchors used by a
>given Web User agent is implementation-dependent.
>
>Since Augmented Assurance Certificates chain up to a "special" trust
>anchor, all valid Augmented Assurance Certificates are also
>validated certificates.
>
>Certificates or certificate chains that are pinned to a particular
>destination are not considered validated certificate by virtue of
>being pinned.

2. In 5.1.5 Self-signed Certificates and Untrusted Root Certificates
[2], I've changed the first paragraph to make clear that the key
property here is not leading up to a trust anchor:

>Self-signed certificates (SSC) which are not trust anchors by
>themselves are commonly used for appliances and web sites catering
>to small groups of users, and essentially serve as a container for
>cryptographic key material in a key exchange that is not verified
>by any third party. Certificate chains that lead up to custom root
>certificates which are not part of the user agent's store of trust
>roots are sometimes used similarly.

Looking over 5.4.1 [3] again, I believe that the current state of
that section does not need further clarifications on this issue.

I'd welcome your review of the affected parts of the spec, though.

1. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-certificates
2. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#selfsignedcerts
3. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 6 June 2008 16:01:04 UTC