- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 5 May 2009 11:55:49 +0200
- To: WSC WG public <public-wsc-wg@w3.org>
- Message-Id: <6C483FCB-5AD9-4C68-8F00-92F7022A10BE@w3.org>
We first introduce pinning in the section on self-signed certificates, with the following language: > <p>Web user agents MAY support <termdef id="def-pinned- > cert"><term>pinning</term></termdef> a self-signed certificate or > more generally a certificate chain that leads to an untrusted root > certificate to a particular Web site, to enable behavior based on > recorded state about certificates shown previously by the same > site. Such behavior includes, e.g., warning users about changes of > certificates, and not showing warning messages if a site shows a > certificate consistent with previous visits.</p> The paragraph before that briefly says what key continuity management is, and introduces the notion that web sites might do useful things with information about previously presented "bad" certificates. I propose that we change the paragraph above as follows: > While Web user agents commonly do not implement full-fledged key > continuity management, they typically offer an interaction to users > which serves to associate a self-signed certificate (or more > generally a certificate chain that leads to an untrusted root > certificate) to a particular Web site. This association enables > behavior such as warning users about changes of certificate, or not > showing warning messages if a site shows a certificate consistent > with previous visits. For the purposes of this specification, we > call a self-signed certificate (or a certificate with a chain > leading up to an untrusted root certificate) that has been > associated with a web site by explicit user interaction <termdef > id="def-pinned-cert">"<term>pinned</term>"</termdef> to that site, > and the interaction "pinning." This feature is OPTIONAL to > implement under this specification. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 5 May 2009 11:57:38 UTC