Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit] from Anil Saldhana on 2008-05-11 (public-wsc-wg@w3.org from May 2008)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Sun, 11 May 2008 16:32:00 -0500
To: Web Security Context Working Group WG <public-wsc-wg@w3.org>
Message-ID: <482765D0.1070507@redhat.com>

The associated action, ACTION-418 has been completed. This issue is 
ready to be closed.

Web Security Context Working Group Issue Tracker wrote:
> 
> ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit]
> 
> http://www.w3.org/2006/WSC/track/issues/
> 
> Raised by: Yngve Pettersen
> On product: wsc-xit
> 
> If a client is able to automatically accept a Selfsigned Certificate, or recover from similar problem without user interaction, it MUST NOT do so unless the client also have a history mechanism about security information.
> 
> The reason for this is that if there is no information about the previous security state available, an attacker can exploit such automatic actions to stage a Man-In-the-Middle attack by replacing the original site's certificate.
>

Received on Sunday, 11 May 2008 21:32:46 UTC