W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2015

Re: Issue 378: `getRemoteCertificates()` is ill-defined

From: Philipp Hancke <fippo@andyet.net>
Date: Sun, 8 Nov 2015 21:57:58 -0800
Message-ID: <CAJraKYiORyE78JHBu4uOfjfZWPH62Y2-kMGLtUWytbOqHNx0BQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Bernard Aboba <Bernard.Aboba@microsoft.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On Sun, Nov 8, 2015 at 9:45 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 8 November 2015 at 15:42, Eric Rescorla <ekr@rtfm.com> wrote:
> >> The most typically suggested use of this method is to retrieve one or
> more
> >> certificates so as to be able to display information to the user.
> However,
> >> since it is up to the application what to do with the certificate(s),
> any
> >> information displayed to the user is potentially untrustworthy.   For
> >> example, chain validation is a browser, not an application
> responsibility.
> >
> >
> > Actually, I'm not sure it is a browser responsibility, since there are
> lots
> > (most) cases where the peer certificate is unverifiable. At minimum you
> > would need a "verified" bit.
>
> I would have thought that we would error out if the certificate didn't
> match the a=fingerprint line.  And we're certainly not building a
> chain of any sort.
>

Then what is
http://w3c.github.io/webrtc-stats/#widl-RTCCertificateStats-issuerCertificateId
for? It seems to allow traversing the chain in stats. Which will allow the
application to determine at what level the certificate is trusted.
Received on Monday, 9 November 2015 06:08:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:47 UTC