Re: ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit]

The associated action, ACTION-418 has been completed. This issue is 
ready to be closed.

Web Security Context Working Group Issue Tracker wrote:
> 
> ISSUE-183: Automatic Selfsigned Certificate acceptance/probation MUST NOT be implemented unless there is a history capability [wsc-xit]
> 
> http://www.w3.org/2006/WSC/track/issues/
> 
> Raised by: Yngve Pettersen
> On product: wsc-xit
> 
> If a client is able to automatically accept a Selfsigned Certificate, or recover from similar problem without user interaction, it MUST NOT do so unless the client also have a history mechanism about security information.
> 
> The reason for this is that if there is no information about the previous security state available, an attacker can exploit such automatic actions to stage a Man-In-the-Middle attack by replacing the original site's certificate.
> 

Received on Sunday, 11 May 2008 21:32:46 UTC