Re: Issue 378: `getRemoteCertificates()` is ill-defined

On Sun, Nov 8, 2015 at 9:45 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 8 November 2015 at 15:42, Eric Rescorla <ekr@rtfm.com> wrote:
> >> The most typically suggested use of this method is to retrieve one or
> more
> >> certificates so as to be able to display information to the user.
> However,
> >> since it is up to the application what to do with the certificate(s),
> any
> >> information displayed to the user is potentially untrustworthy.   For
> >> example, chain validation is a browser, not an application
> responsibility.
> >
> >
> > Actually, I'm not sure it is a browser responsibility, since there are
> lots
> > (most) cases where the peer certificate is unverifiable. At minimum you
> > would need a "verified" bit.
>
> I would have thought that we would error out if the certificate didn't
> match the a=fingerprint line.  And we're certainly not building a
> chain of any sort.
>

Then what is
http://w3c.github.io/webrtc-stats/#widl-RTCCertificateStats-issuerCertificateId
for? It seems to allow traversing the chain in stats. Which will allow the
application to determine at what level the certificate is trusted.

Received on Monday, 9 November 2015 06:08:29 UTC