Re: [certid] Bad certificate handling
Matt McCutchen <matt@mattmccutchen.net> Sun, 26 September 2010 15:20 UTC
Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 50DF93A6A96 for <certid@core3.amsl.com>;
Sun, 26 Sep 2010 08:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0RfF7l9OHMiW for
<certid@core3.amsl.com>; Sun, 26 Sep 2010 08:20:37 -0700 (PDT)
Received: from homiemail-a4.g.dreamhost.com (caiajhbdcbef.dreamhost.com
[208.97.132.145]) by core3.amsl.com (Postfix) with ESMTP id 2F5CF3A695A for
<certid@ietf.org>; Sun, 26 Sep 2010 08:20:37 -0700 (PDT)
Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by
homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id C1B8F51C063;
Sun, 26 Sep 2010 08:21:13 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from
:to:cc:in-reply-to:references:content-type:date:message-id
:mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net;
b=Dl44w77zvWKBPB/QtBds/lFiUHbRkAMrnTEhVrlhwa8
w+8HY98/cG6hswIWVFmyzNESGi9mZ6/UL7hVR1egchaBJ5DDF+cFLzPtr1sQFOLx
cwsbpGGdGH2U5XHRw6F0h+xjDOeS9hkgHxzPKwMwMyZGw8/H6zGMoGl3tSyuOI14 =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net;
h= subject:from:to:cc:in-reply-to:references:content-type:date
:message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net;
bh=4JGTAgjbxmrxU3V8+Mq2PF40dIY=;
b=mXalC/w4ty RMIP7PBNcsfDL8/dnmG8zt1rfS3l010aaHDyLbq2XawVJLduOPb2VGlzDmvHCljB
oGIwCCIlt11fz8u43f2khvj82onpZQmpel51USoslpsfVbjU29knZb74rv014y9F
3VpB6ZdkSZN9T3pj08Qz2FYQxZaCDYnvs=
Received: from [206.196.160.254] (wireless-206-196-160-254.umd.edu
[206.196.160.254]) (Authenticated sender: matt@mattmccutchen.net) by
homiemail-a4.g.dreamhost.com (Postfix) with ESMTPA id 6F05E51C062;
Sun, 26 Sep 2010 08:21:13 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: mrex@sap.com
In-Reply-To: <201009250022.o8P0Mo2A007079@fs4113.wdf.sap.corp>
References: <201009250022.o8P0Mo2A007079@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="UTF-8"
Date: Sun, 26 Sep 2010 11:21:08 -0400
Message-ID: <1285514468.2673.8.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] Bad certificate handling
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2010 15:20:38 -0000
On Sat, 2010-09-25 at 02:22 +0200, Martin Rex wrote: > Section 5.1.4 here: > > http://www.w3.org/TR/wsc-ui/#selfsignedcerts > > is much closer what I this would be useful and sensible. > > "Pinning" of certs is useful for both, certs that validate fine > and certs that do not validate for the two reasons "not trusted" > and "server-id-mismatch". Once again (http://www.ietf.org/mail-archive/web/certid/current/msg00338.html), the purpose of pinning is to make it possible to connect to servers with unverifiable certificates, not to replace the public-CA trust model, which is much more difficult to do properly. The definition of "strongly TLS-protected" (http://www.w3.org/TR/wsc-ui/#def-strong-tls) includes validated certificates regardless of whether there is a pinned certificate. > What is the idea behind visualizing the full chain? > > I've seen the same in 5.1.4 of the WSC-UI document but there's > no rationale given and I can not think of one. If the purpose is > memorizing and "pinning" a server cert, there is no point in > visualizing the certificate chain. > > Either there is no trust, then the chain can be crafted to look > like anything, Not necessarily. There are some CAs I don't want to enable unconditionally as trust anchors, but whose certificates I am willing to accept after additional manual verification. In that case, I would check the fingerprint of the top certificate of the presented chain against the one I expect. But you're right that "forcing the user to view the entire certification path" may have no real security benefit in general, though it sounds impressive. -- Matt
- Re: [certid] Bad certificate handling =JeffH
- Re: [certid] Bad certificate handling Matt McCutchen
- Re: [certid] Bad certificate handling =JeffH
- Re: [certid] Bad certificate handling Martin Rex
- Re: [certid] Bad certificate handling Matt McCutchen
- Re: [certid] Bad certificate handling Matt McCutchen
- Re: [certid] Bad certificate handling Jeffrey A. Williams
- Re: [certid] Bad certificate handling Martin Rex
- Re: [certid] Bad certificate handling ArkanoiD
- Re: [certid] Bad certificate handling =JeffH
- Re: [certid] Bad certificate handling Peter Saint-Andre