On Sun, Nov 8, 2015 at 9:45 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 8 November 2015 at 15:42, Eric Rescorla <ekr@rtfm.com> wrote: > >> The most typically suggested use of this method is to retrieve one or > more > >> certificates so as to be able to display information to the user. > However, > >> since it is up to the application what to do with the certificate(s), > any > >> information displayed to the user is potentially untrustworthy. For > >> example, chain validation is a browser, not an application > responsibility. > > > > > > Actually, I'm not sure it is a browser responsibility, since there are > lots > > (most) cases where the peer certificate is unverifiable. At minimum you > > would need a "verified" bit. > > I would have thought that we would error out if the certificate didn't > match the a=fingerprint line. And we're certainly not building a > chain of any sort. > Then what is http://w3c.github.io/webrtc-stats/#widl-RTCCertificateStats-issuerCertificateId for? It seems to allow traversing the chain in stats. Which will allow the application to determine at what level the certificate is trusted.
Received on Monday, 9 November 2015 06:08:29 UTC