Re: [webrtc-pc] Allow to import existing certificate

Firefox also supports persisting of certificates (and their corresponding keys).

@aboba, I don't think that this would necessarily need validation, though it certainly suggests that it would have value.  If we were to do anything here, I'd suggest that it be to support signing of certificates by a CA.  That's a pretty cumbersome process that involves exporting a PKCS#10 CSR and importing the signed certificate (including validation of the same). We'd need significant motivation to support even that.

As stated, this could be used to subvert the security mechanisms we have implemented.  It's not mere trouble as Tim suggests, but a full-blown undermining of our identity mechanism.  I would recommend closing this, then opening other issues to track the stated alternatives if those are still desirable.

-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1853#issuecomment-385305455 using your GitHub account

Received on Monday, 30 April 2018 03:04:29 UTC