IETF Logo Mail Archive

Re: [certid] Bad certificate handling

Matt McCutchen <matt@mattmccutchen.net> Fri, 24 September 2010 21:45 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A9DA3A6A84 for <certid@core3.amsl.com>; Fri, 24 Sep 2010 14:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSqtjxS84Lqf for <certid@core3.amsl.com>; Fri, 24 Sep 2010 14:45:51 -0700 (PDT)
Received: from homiemail-a2.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by core3.amsl.com (Postfix) with ESMTP id 01B6E3A6A87 for <certid@ietf.org>; Fri, 24 Sep 2010 14:45:50 -0700 (PDT)
Received: from homiemail-a2.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTP id 9356B280072; Fri, 24 Sep 2010 14:46:23 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=UTA/6bJYLYXXw3Ryzt8McJW5UeZmI+mbz1Nh/EFc53X cLQdzf7sCDC4kJp+XiSUa+jtYp2ondwr1aUFcpD+TuyYwkx3f7M8NyEGbSHA0Wwr IVllaCMc/sm/PL7f5iUgI6JxLQDqLRracspBwiutY9OPcxisVFSp5hq9Eg2O5nVE =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=1wT5MXk6pFK078n/TOoj0xUj0/o=; b=trE0Fu4zod VAUeG+jjCF91HKKEednL+fIiSZqn9i1hssVtGhiICzzVnbPjXOenkWpWeoaA7ea0 2X/HzbGKjZ55DUcEPoZD77htxAoJJuNt2jAx/sV7rT3zsJmuQmIZNG004nOe/aDO ZUGIF+wvkeGWhe4TW8OM0gaeLlmyBTWvs=
Received: from [206.196.160.254] (wireless-206-196-160-254.umd.edu [206.196.160.254]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTPA id 469E5280070; Fri, 24 Sep 2010 14:46:23 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
In-Reply-To: <4C9CFCE4.1050801@KingsMountain.com>
References: <4C9CFCE4.1050801@KingsMountain.com>
Content-Type: text/plain; charset="UTF-8"
Date: Fri, 24 Sep 2010 17:46:11 -0400
Message-ID: <1285364771.1962.39.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] Bad certificate handling
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 21:45:53 -0000

On Fri, 2010-09-24 at 12:32 -0700, =JeffH wrote:
> matt@mattmccutchen.net said:
>  > Separately, I wonder if it makes sense for server-id-check to
>  > specifically discuss the handling of certificates that don't match a
>  > reference identifier when the considerations are essentially the same
>  > for certificates with other problems (most commonly, expired or
>  > untrusted issuer) and, indeed, modern browsers tend to provide a single
>  > UI for these three most common problems.  I'm not sure where would be
>  > the right place to standardize handling of bad certificates in general.
>  > There is a W3C document, but it only applies to interactive user agents:
>  >
>  > http://www.w3.org/TR/wsc-ui/    [WSC-UI]
> 
> Which is entitled: "Web Security Context: User Interface Guidelines"
> 
> Note that we already cite this doc (tho we need to update our cite because it 
> is now a Recommendation).
> 
> In any case, this is a good catch, thanks. In reading WSC-UI, it appears to 
> overall address our needs for more full explanation of interactive user agent 
> behavior in error condition cases (although it doesn't differentiate between 
> "pinning" a cert temporarily vs permanently).
> 
> Given all this, I suggest we change the last part of the last sentence of the 
> "Security Note" quoted above to something like..
> 
>         ..., by forcing the user to view the entire certification path
>         and only then allowing the user to choose whether to accept the
>         certificate on a temporary or permanent basis. See [WSC-UI] for
>         further guidance.
> 
> ..and leave it at that in -tls-server-id-check. We should also consider making 
> [WSC-UI] a normative reference now that it is at Recommendation maturity level.

OK.  I suggest s/to choose whether //; the point is that the user
accepts the certificate.

Another issue with WSC-UI that I neglected to point out earlier: it only
discusses pinning of certificates with untrusted issuers, so we should
make explicit that we are recommending that the WSC-UI treatment of
untrusted issuers be applied to name mismatches.  And it's awkward to do
that if the omission of pinning for name mismatches from WSC-UI was
intentional (i.e., the authors thought it was a bad idea).  Does anyone
know if this is case?

-- 
Matt

v2.8.7 | Report a Bug | By Email