W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2015

Re: Issue 378: `getRemoteCertificates()` is ill-defined

From: Harald Alvestrand <harald@alvestrand.no>
Date: Tue, 10 Nov 2015 09:28:51 +0100
To: public-webrtc@w3.org
Message-ID: <5641AAC3.7010806@alvestrand.no>
Den 09. nov. 2015 07:21, skrev Martin Thomson:
> On 8 November 2015 at 21:57, Philipp Hancke <fippo@andyet.net> wrote:
>> Then what is
>> http://w3c.github.io/webrtc-stats/#widl-RTCCertificateStats-issuerCertificateId
>> for? It seems to allow traversing the chain in stats. Which will allow the
>> application to determine at what level the certificate is trusted.
> 
> That would seem to be in support of a fundamentally different model
> for authentication.  Has anyone actually proposed that model?
> 

When we added this in stats, it was more or less on the principle of "if
it's in the protocol exchange, we should expose it".

One could imagine cases where the app would care about this and have the
means to do something about it - for instance, a banking app could ship
the exposed certs to a central verification site and verify them there,
thus providing certificate transparency-like detection that "something
fishy is going on" - the browser wouldn't be able to tell that something
was wrong, but the application might.

All that said - I see absolutely no reason to use a different type for
the certificate in stats and the certificate in getRemoteCertificates.
They should be the same. (And the base64 DOMString form in stats is
already implemented.)
Received on Tuesday, 10 November 2015 08:29:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:47 UTC