ISSUE-121

Safe Form Bar certificate matching issues

State:

CLOSED

Product:

wsc-xit-past-062008

Raised by:

Thomas Roessler

Opened on:

2007-10-11

Description:

The safe form bar specification includes a specific matching algorithm for PKIX certificates. This algorithm should be reviewed in light of what the PKIX spec itself says.

Known issues:

- There is some material based on CN, but subjectAltName is ignored
- Two certificates are considered identical if the same key material is encapsulated
- The text uses the notion of "same certification authority", and defines that notion in terms of "both installed as trusted certificate chain roots identified by the same name in the user agent's presentation to the user", as opposed to using the certificate's isuser field. (Note contradiction to material elsewhere in the spec!)
- Certificates are considered to identify the same entity based on comparing specific attributes of the subject field.

Related Actions Items:

• ACTION-355 on Yngve Pettersen to Describe algorithms commonly used to create display names of certificates - due 2007-12-12, closed

Related emails:

1. Draft Minutes for 2009-01-21 (from maritzaj@cs.columbia.edu on 2009-01-22)
2. ACTION-317: Different notions of KCM in different parts of the document (from tlr@w3.org on 2008-01-17)
3. Mez' review of wsc-xit (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-12-07)
4. ACTION-348: cert related terminology (from stephen.farrell@cs.tcd.ie on 2007-12-05)
5. Agenda: WSC WG distributed meeting, Wednesday, 2007-12-05 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-12-04)
6. ISSUE-121: Safe Form Bar certificate matching issues [Techniques] (from sysbot+tracker@w3.org on 2007-10-11)

Related notes:

Display change log