Re: ISSUE-187 (PinnedCerts): Be clear on just what pinned certificates are and are not [wsc-xit]

Yes, that's great. When you fold it in, you can close the issue. 

          Mez





From:
Thomas Roessler <tlr@w3.org>
To:
Mary Ellen Zurko/Westford/IBM@Iris
Cc:
public-wsc-wg@w3.org
Date:
03/08/2008 06:58 AM
Subject:
Re: ISSUE-187 (PinnedCerts): Be clear on just what pinned certificates are 
and are not [wsc-xit]


On 2008-03-07 22:15:23 +0100, Thomas Roessler wrote:

> > A certificate that is [Definition: pinned] to a destination will be
> > treated similar (but not identical) to a validated certificate in
> > interactions defined elsewhere in this specification.
>
> Or rather, make the line less confusing. ;-)

Rephrased:

<p>If a Web site consistently presents the same self-signed
certificate to a client, then this can be strong evidence that
protection against an active attacker has been achieved as well.
Conversely, a change of self-signed certificates for the same site
can be evidence that a man in the middle attack occurs -- or it
can be a symptom that the legitimate site has changed to a
different self-signed certificate.</p>

<p>Web user agents MAY offer pinning a self-signed certificate to
a particular Web site, to enable behavior based on recorded state
about self-signed certificates shown previously by the same site.
Such behavior includes, e.g., warning users about changes of such
certificates, and not showing warning messages if a site shows a
certificate consistent with previous visits.</p>

<p>The notification of this possibility SHOULD follow the
requirements for Notification and Status Indicator as defined in
<specref ref="error-notif"/>.  This interaction SHOULD NOT cause a
self-signed certificate to be pinned to more than one site,
identified through URI scheme, domain, and port.</p>

Hope that improves things a bit.
--
Thomas Roessler, W3C  <tlr@w3.org>