W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2015

Re: Issue 378: `getRemoteCertificates()` is ill-defined

From: Bernard Aboba <Bernard.Aboba@microsoft.com>
Date: Sun, 8 Nov 2015 23:27:37 +0000
To: "public-webrtc@w3.org" <public-webrtc@w3.org>
CC: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <BLUPR03MB149785C6BFFD0E984B0173FEC160@BLUPR03MB149.namprd03.prod.outlook.com>
Dontcallmedom said:

"The spec is silent about the content of the array buffers returned by getRemoteCertificates()"

[Martin] Well, ArrayBuffer is (probably) the DER-encoded end-entity certificate. That's pretty useful if you have a DER decoder I guess.

[BA] It's getRemoteCertificates(), which would seem to imply that more than one certificate can be returned.   So we could be potentially talking about a certificate chain (e.g. encountered by a browser contacting a contact center gateway).

The most typically suggested use of this method is to retrieve one or more certificates so as to be able to display information to the user.  However, since it is up to the application what to do with the certificate(s),  any information displayed to the user is potentially untrustworthy.   For example, chain validation is a browser, not an application responsibility.
Received on Sunday, 8 November 2015 23:28:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:10 UTC