IETF Logo Mail Archive

Re: [certid] Bad certificate handling

Martin Rex <mrex@sap.com> Sat, 25 September 2010 00:22 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A0873A6B6A for <certid@core3.amsl.com>; Fri, 24 Sep 2010 17:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.828
X-Spam-Level:
X-Spam-Status: No, score=-9.828 tagged_above=-999 required=5 tests=[AWL=0.421, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtW7iAp1KCra for <certid@core3.amsl.com>; Fri, 24 Sep 2010 17:22:19 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 434543A6AA5 for <certid@ietf.org>; Fri, 24 Sep 2010 17:22:19 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o8P0MpiY003321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 25 Sep 2010 02:22:51 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201009250022.o8P0Mo2A007079@fs4113.wdf.sap.corp>
To: Jeff.Hodges@KingsMountain.com (=JeffH)
Date: Sat, 25 Sep 2010 02:22:50 +0200 (MEST)
In-Reply-To: <4C9CFCE4.1050801@KingsMountain.com> from "=JeffH" at Sep 24, 10 12:32:52 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] Bad certificate handling
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2010 00:22:20 -0000

=JeffH wrote:
> 
>  > http://www.w3.org/TR/wsc-ui/    [WSC-UI]
> 
> Which is entitled: "Web Security Context: User Interface Guidelines"

Thanks for providing this link !!

Section 5.1.4 here:

    http://www.w3.org/TR/wsc-ui/#selfsignedcerts

is much closer what I this would be useful and sensible.

"Pinning" of certs is useful for both, certs that validate fine
and certs that do not validate for the two reasons "not trusted"
and "server-id-mismatch".


>
> Given all this, I suggest we change the last part of the last sentence of the 
> "Security Note" quoted above to something like..
> 
>         ..., by forcing the user to view the entire certification path
>         and only then allowing the user to choose whether to accept the
>         certificate on a temporary or permanent basis. See [WSC-UI] for
>         further guidance.


What is the idea behind visualizing the full chain?

I've seen the same in 5.1.4 of the WSC-UI document but there's
no rationale given and I can not think of one.  If the purpose is
memorizing and "pinning" a server cert, there is no point in
visualizing the certificate chain.

Either there is no trust, then the chain can be crafted to look
like anything, or it is trusted, then -- well it is trusted and
there is no point (for Joe Average User) in looking at the chain,
because this chain has passed certificate path validation.


-Martin

v2.8.7 | Report a Bug | By Email