Re: Issue 378: `getRemoteCertificates()` is ill-defined

Dontcallmedom said:

"The spec is silent about the content of the array buffers returned by getRemoteCertificates()"

[Martin] Well, ArrayBuffer is (probably) the DER-encoded end-entity certificate. That's pretty useful if you have a DER decoder I guess.

[BA] It's getRemoteCertificates(), which would seem to imply that more than one certificate can be returned.   So we could be potentially talking about a certificate chain (e.g. encountered by a browser contacting a contact center gateway).

The most typically suggested use of this method is to retrieve one or more certificates so as to be able to display information to the user.  However, since it is up to the application what to do with the certificate(s),  any information displayed to the user is potentially untrustworthy.   For example, chain validation is a browser, not an application responsibility.

Received on Sunday, 8 November 2015 23:28:07 UTC