IETF Logo Mail Archive

Re: [certid] Bad certificate handling

Peter Saint-Andre <stpeter@stpeter.im> Wed, 29 September 2010 20:25 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C5EB3A6D96 for <certid@core3.amsl.com>; Wed, 29 Sep 2010 13:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.543
X-Spam-Level:
X-Spam-Status: No, score=-102.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWzAMaJuEjx0 for <certid@core3.amsl.com>; Wed, 29 Sep 2010 13:25:56 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 5B0953A6D8F for <certid@ietf.org>; Wed, 29 Sep 2010 13:25:56 -0700 (PDT)
Received: from moveme.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 29646403DF; Wed, 29 Sep 2010 14:32:13 -0600 (MDT)
Message-ID: <4CA3A0FE.4050503@stpeter.im>
Date: Wed, 29 Sep 2010 14:26:38 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.12) Gecko/20100914 Thunderbird/3.0.8
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4CA12756.6070301@KingsMountain.com>
In-Reply-To: <4CA12756.6070301@KingsMountain.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] Bad certificate handling
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 20:25:57 -0000

On 9/27/10 5:23 PM, =JeffH wrote:
> Matt replied..
>>
>> On Fri, 2010-09-24 at 16:01 -0700, =JeffH wrote:
>>> > > Given all this, I suggest we change the last part of the last
> sentence of
>>>  > > the "Security Note" quoted above to something like..
>>>  > >
>>>  > >         ..., by forcing the user to view the entire
> certification path
>>>  > >         and only then allowing the user to choose whether to
> accept the
>>>  > >         certificate on a temporary or permanent basis. See
> [WSC-UI] for
>>>  > >         further guidance.
>>>  > >
>>>  > > ..and leave it at that in -tls-server-id-check. We should also
> consider
>>>  > > making [WSC-UI] a normative reference now that it is at
> Recommendation
>>>  > > maturity level.
>>>  >
>>>  > OK.  I suggest s/to choose whether //; the point is that the user
>>>  > accepts the certificate.
>>>
>>> I tend to think we ought to at least mention the notion that the cert
> can be
>>> accepted either temporarily or permanently.
>>
>> And that remains after my proposed edit.  If you want to emphasize that
>> it's the user's choice, try this:
>>
>> "...and only then allowing the user to accept the certificate on a
>> temporary or permanent basis, at his/her option."
>>
>> The problem with the current text is that its negation could be that
>> someone else does the choosing, when it should be that the certificate
>> is not accepted.
> 
> ah, ok, thx, I'd misunderstood your proposed edit, thx for clarification.

Based on jhutz's earlier comments, our working copy already has this:

   ... and only then allowing the user to accept the certificate
   (on a temporary or permanent basis, at the user's option).

That seems to meet the need identified in this thread.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email