W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2015

Re: Issue 378: `getRemoteCertificates()` is ill-defined

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 8 Nov 2015 21:45:12 -0800
Message-ID: <CABkgnnX=6yqxFBHPzvebos9Nnxzqjs-qY_P1b5W7mF8vsf7Mkg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Bernard Aboba <Bernard.Aboba@microsoft.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 8 November 2015 at 15:42, Eric Rescorla <ekr@rtfm.com> wrote:
>> The most typically suggested use of this method is to retrieve one or more
>> certificates so as to be able to display information to the user.  However,
>> since it is up to the application what to do with the certificate(s),  any
>> information displayed to the user is potentially untrustworthy.   For
>> example, chain validation is a browser, not an application responsibility.
>
>
> Actually, I'm not sure it is a browser responsibility, since there are lots
> (most) cases where the peer certificate is unverifiable. At minimum you
> would need a "verified" bit.

I would have thought that we would error out if the certificate didn't
match the a=fingerprint line.  And we're certainly not building a
chain of any sort.

I always imagined this sort of API as being little better than a way
of getting the fingerprint line that is in use, with a possibility of
exposing more than that by DIY DER parsing.  As a container for a
public key, the rest of the cert isn't much use in the general case
and any other case is likely to need specialized application logic.
Received on Monday, 9 November 2015 05:45:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:47 UTC