W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2015

Re: Issue 378: `getRemoteCertificates()` is ill-defined

From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 8 Nov 2015 15:42:10 -0800
Message-ID: <CABcZeBObUEoK8s-gR97V=r=CYqL5uia_K=VnduFO5MXphFJQvg@mail.gmail.com>
To: Bernard Aboba <Bernard.Aboba@microsoft.com>
Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>, Martin Thomson <martin.thomson@gmail.com>
On Sun, Nov 8, 2015 at 3:27 PM, Bernard Aboba <Bernard.Aboba@microsoft.com>
wrote:

> Dontcallmedom said:
>
>
>
> “The spec is silent about the content of the array buffers returned by
> getRemoteCertificates()”
>
>
>
> [Martin] Well, ArrayBuffer is (probably) the DER-encoded end-entity
> certificate. That's pretty useful if you have a DER decoder I guess.
>
>
>
> [BA] It's getRemoteCertificates(), which would seem to imply that more
> than one certificate can be returned.   So we could be potentially talking
> about a certificate chain (e.g. encountered by a browser contacting a
> contact center gateway).
>
>
>
> The most typically suggested use of this method is to retrieve one or more
> certificates so as to be able to display information to the user.  However,
> since it is up to the application what to do with the certificate(s),  any
> information displayed to the user is potentially untrustworthy.   For
> example, chain validation is a browser, not an application responsibility.
>

Actually, I'm not sure it is a browser responsibility, since there are lots
(most) cases where the peer certificate is unverifiable. At minimum you
would need a "verified" bit.

-Ekr
Received on Sunday, 8 November 2015 23:43:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:47 UTC