Re: WSC-UI: use cases for cert pinning from Thomas Roessler on 2010-10-04 (public-usable-authentication@w3.org from October 2010)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 4 Oct 2010 09:49:25 -0400
To: =JeffH <Jeff.Hodges@KingsMountain.com>
Cc: Thomas Roessler <tlr@w3.org>, public-usable-authentication@w3.org
Message-Id: <7535A33C-0D55-4639-BE2A-62B945A37ADD@w3.org>

On 24 Sep 2010, at 19:39, =JeffH wrote:

> AFAICT, <http://www.w3.org/TR/wsc-ui/> [WSC-UI]  discusses cert "pinning" only in the case of self-signed certs, or certs whose cert chain that leads to an untrusted root certificate.
> 
> We're curious as to whether cert pinning in the face of subject name mismatch was considered as a use case, as well as in the face of other TLS/SSL cert errors, as apparently done by present browsers (for better or worse).
> 
> In other words, is it your conscious intention in WSC-UI to limit employment of cert pinning to only the discussed use cases, or were the other use cases overlooked?

I don't recall that we discussed the other use cases in detail around pinning.

Note, though, that "pinning" refers to recording state about security decisions and re-using it later on; there is separate language about the ability to override a warning, even in the case of an identity mismatch.

> I'm asking in the context of editing <http://tools.ietf.org/html/draft-saintandre-tls-server-id-check>, which is expressly about verification of cert-based server identity in TLS/SSL. In general. Our latest provisional language wrt this is..
> 
> 
> >       Security Note: Some existing interactive user agents give advanced
> >       users the option of proceeding despite an identity mismatch.
> >       Although this behavior can be appropriate in certain specialized
> >       circumstances, in general it needs to be exposed only to advanced
> >       users and even then needs to be handled with extreme caution, for
> >       example by first encouraging even an advanced user to terminate
> >       the connection and, if the advanced user chooses to proceed
> >       anyway, by forcing the user to view the entire certification path
> >       and only then allowing the user to choose whether to accept the
> >       certificate on a temporary or permanent basis.
> 
> 
> We're considering how to reference WSC-UI here, but since this use-case apparently discussed in WSC-UI it's awkward.
> 
> thanks,
> 
> =JeffH
>

Received on Monday, 4 October 2010 13:49:32 UTC