Re: Proposed clarification re "pinning" (ACTION-581)

ditto. 





From:   Joe Steele <steele@adobe.com>
To:     Thomas Roessler <tlr@w3.org>, WSC WG public <public-wsc-wg@w3.org>
Date:   05/06/2009 11:01 AM
Subject:        Re: Proposed clarification re "pinning" (ACTION-581)
Sent by:        public-wsc-wg-request@w3.org



This text change looks reasonable.

Joe

On 5/5/09 2:55 AM, "Thomas Roessler" <tlr@w3.org> wrote:

We first introduce pinning in the section on self-signed certificates, 
with the following language:

<p>Web user agents MAY support <termdef 
id="def-pinned-cert"><term>pinning</term></termdef> a self-signed 
certificate or more generally a certificate chain that leads to an 
untrusted root certificate to a particular Web site, to enable behavior 
based on recorded state about certificates shown previously by the same 
site.  Such behavior includes, e.g., warning users about changes of 
certificates, and not showing warning messages if a site shows a 
certificate consistent with previous visits.</p>

The paragraph before that briefly says what key continuity management is, 
and introduces the notion that web sites might do useful things with 
information about previously presented "bad" certificates.

I propose that we change the paragraph above as follows:

While Web user agents commonly do not implement full-fledged key 
continuity management, they typically offer an interaction to users which 
serves to associate a self-signed certificate (or more generally a 
certificate chain that leads to an untrusted root certificate) to a 
particular Web site.  This association enables behavior such as warning 
users about changes of certificate, or not showing warning messages if a 
site shows a certificate consistent with previous visits.  For the 
purposes of this specification, we call a self-signed certificate (or a 
certificate with a chain leading up to an untrusted root certificate) that 
has been associated with a web site by explicit user interaction <termdef 
id="def-pinned-cert">"<term>pinned</term>"</termdef> to that site, and the 
interaction "pinning."  This feature is OPTIONAL to implement under this 
specification.

Regards,
 
--
Thomas Roessler, W3C  <tlr@w3.org>



 

Received on Friday, 8 May 2009 13:59:00 UTC