Re: [certid] Bad certificate handling
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 24 September 2010 23:00 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 506053A6B63 for <certid@core3.amsl.com>;
Fri, 24 Sep 2010 16:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.125
X-Spam-Level:
X-Spam-Status: No, score=-102.125 tagged_above=-999 required=5 tests=[AWL=0.140,
BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qARkU-SGFuPE for
<certid@core3.amsl.com>; Fri, 24 Sep 2010 16:00:54 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com
[67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 3BBE83A6B54 for
<certid@ietf.org>; Fri, 24 Sep 2010 16:00:54 -0700 (PDT)
Received: (qmail 12605 invoked by uid 0); 24 Sep 2010 23:01:26 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy3.bluehost.com with SMTP; 24 Sep 2010 23:01:26 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=Met8jSEZxjhuU/xWcCyxjBuBYx/Fk8NixCDsr8afstlMNdryZDXGlRc1zVrQfXon9EwLZ0iKvB1jzLYecuM72l73D4FRrQkptscXHxrrIEBgwHT3p5QcjgccCQSM1q6z;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OzHGg-0002dh-JV for
certid@ietf.org; Fri, 24 Sep 2010 17:01:26 -0600
Message-ID: <4C9D2DC6.3000202@KingsMountain.com>
Date: Fri, 24 Sep 2010 16:01:26 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] Bad certificate handling
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 23:00:55 -0000
> > Given all this, I suggest we change the last part of the last sentence of > > the "Security Note" quoted above to something like.. > > > > ..., by forcing the user to view the entire certification path > > and only then allowing the user to choose whether to accept the > > certificate on a temporary or permanent basis. See [WSC-UI] for > > further guidance. > > > > ..and leave it at that in -tls-server-id-check. We should also consider > > making [WSC-UI] a normative reference now that it is at Recommendation > > maturity level. > > OK. I suggest s/to choose whether //; the point is that the user > accepts the certificate. I tend to think we ought to at least mention the notion that the cert can be accepted either temporarily or permanently. > Another issue with WSC-UI that I neglected to point out earlier: it only > discusses pinning of certificates with untrusted issuers hm, indeed. This would be an issue if we were to cite WSC-UI normatively, but not if we do so only informatively, so I'm now thinking we ought to keep it as the latter. > if the omission of pinning for name mismatches from WSC-UI was > intentional (i.e., the authors thought it was a bad idea). Does anyone > know if this is case? don't know, but it's easy to ask. =JeffH
- Re: [certid] Bad certificate handling =JeffH
- Re: [certid] Bad certificate handling Matt McCutchen
- Re: [certid] Bad certificate handling =JeffH
- Re: [certid] Bad certificate handling Martin Rex
- Re: [certid] Bad certificate handling Matt McCutchen
- Re: [certid] Bad certificate handling Matt McCutchen
- Re: [certid] Bad certificate handling Jeffrey A. Williams
- Re: [certid] Bad certificate handling Martin Rex
- Re: [certid] Bad certificate handling ArkanoiD
- Re: [certid] Bad certificate handling =JeffH
- Re: [certid] Bad certificate handling Peter Saint-Andre