Re: ACTION-401: Larry as Lo-Fi prototype for 6.1.1 from Johnathan Nightingale on 2008-03-05 (public-wsc-wg@w3.org from March 2008)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Tue, 04 Mar 2008 20:24:23 -0500
To: "Close, Tyler J." <tyler.close@hp.com>
CC: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <47CDF647.4030608@mozilla.com>

Hi Tyler,

Manually adding trust to certificates that don't otherwise validate 
(e.g. domain name mismatches) is done on a per-host/port basis.  So a 
certificate's claims to be valid for multiple domains, or for *, or 
what-have-you are not respected.  When a manual override is added, it is 
bound to the host and port currently being visited.

This makes it a very cumbersome route to take if you have a cert which 
claims to be valid for large swaths of the world and you really want it 
to work that way, but there are other approaches you can take at that 
point (e.g. adding your own CA).

It's a little off-topic for the W3C, but yeah, the PSM service that 
manages these exceptions is available to privileged chrome, including 
addons, via this XPCOM interface:

http://mxr.mozilla.org/mozilla/source/security/manager/ssl/public/nsICertOverrideService.idl

Cheers,

Johnathan

Close, Tyler J. wrote:
> Hi Johnathan,
> 
> How does the GUI for adding a trusted certificate deal with certificates that claim to represent multiple hostnames via subjectAltNames, or via a wildcard?
> 
> Is there an API accessible to addons for adding such trusted certificates? If so, could you provide a pointer?
> 
> Thanks,
> --Tyler
> 
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org
>> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Johnathan
>> Nightingale
>> Sent: Friday, February 29, 2008 12:00 PM
>> To: W3C WSC W3C WSC Public
>> Subject: Re: ACTION-401: Larry as Lo-Fi prototype for 6.1.1
>>
>> Incidentally, I think this works as a prototype for 6.1.2 as well:
>>
>>> Information displayed in the identity signal MUST be derived from
>>> attested certificates, from user agent state, or be otherwise
>>> authenticated. Web user agents MUST NOT use information as part of
>>> the [[identity signal]]  that is taken from unauthenticated or
>>> untrusted sources.
>> Yep.  In the case of a site with an unattested, but explicitly trusted
>> by the user, certificate, Larry looks like this:
>>
>>

Received on Wednesday, 5 March 2008 01:25:16 UTC