- From: Joe Steele <steele@adobe.com>
- Date: Mon, 12 May 2008 15:19:02 -0700
- To: <public-wsc-wg@w3.org>
- Message-ID: <7E19CB0359C4684887FB8C663DFD71080348A8FC@namail2.corp.adobe.com>
I realized after reading sections 5.1.5 and 5.5.1 again (and again and again...) that this does not exclude searching an external pinning cache automatically. I am happy with this, since this is a specific case that implementers may care about (I certainly do). Mez, please keep reminding me to read the spec thoroughly before speaking. :-) However a related issue came up - it looks like a user agent can automatically pin a self-signed certificate to a site which did not already have a pinned certificate and still be conformant. These are the relevant bits of text: Section 5.1.5 Self-signed certificate and Untrusted Root Certificates "If a client is able to automatically accept a self-signed certificate, or recover from similar problem without user interaction, it MUST NOT do so unless the client also have a history mechanism about security information." Section 5.5.1 TLS errors "3. Otherwise, user agents MAY use error signaling of class notification to offer pinning ..." Section 6.4.2 Notifications and Status Indicators "These indicators MAY include user interaction ..." Shouldn't the error signaling be of class warning (section 6.4.3) to ensure the user must interact to pin a new certificate to the site? This would be consistent with #2 in section 5.5.1 as well. After reading through the minutes on the 2/6 teleconference, it looked like the decision was made to not warn strongly in this case. I am not clear on why though. It seems like some of the discussion about this was not captured. Or I am not finding it. :-) Either way I would appreciate clarification. I remember some discussion of this on the last teleconference, but I did not capture it in my notes. BTW - I will be attempting to dial in to Oslo tonight. Joe
Received on Monday, 12 May 2008 22:19:52 UTC