From 4ddb99a82925a475cadd900bb76a9deab67bf045 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Mon, 13 Sep 2010 16:49:34 +0200 Subject: Update to new tp-spec draft --- extensions/Authentication_TLS_Certificate.xml | 177 +++++++++++++------------- 1 file changed, 85 insertions(+), 92 deletions(-) (limited to 'extensions') diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml index 709ea282c..aafc00414 100644 --- a/extensions/Authentication_TLS_Certificate.xml +++ b/extensions/Authentication_TLS_Certificate.xml @@ -41,6 +41,77 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + +

Struct representing one reason why a TLS certificate was rejected.

+

Since there can be multiple things wrong with a TLS certificate, + arrays of this type are used to represent lists of reasons for + rejection. In that case, the most important reason SHOULD be placed + first in the list.

+ + + + +

The value of the TLS_Certificate_Reject_Reason enumeration for + this certificate rejection. + + Clients that do not understand the Error member, + which may be implementation-specific, can use this property to + classify rejection reasons into common categories. + +

+ + + + + +

The DBus error name for this certificate rejection.

+

This MAY correspond to the value of the Reason member, + or MAY be a more specific D-Bus error name, perhaps implementation-specific.

+ + + + + +

Additional information about why the certificate was rejected. + This MAY also include one or more of the following well-known keys:

+

+

+
user-requested (b)
+
True if the error was due to an user-requested rejection of + the certificate; False if there was an unrecoverable error in the + verification process.
+
expected-hostname (s)
+
If the rejection reason is Hostname_Mismatch, the hostname that + the server certificate was expected to have.
+
certificate-hostname (s)
+
If the rejection reason is Hostname_Mismatch, the hostname of + the certificate that was presented. + +

For instance, if you try to connect to gmail.com but are presented + with a TLS certificate issued to evil.example.org, the error details + for Hostname_Mismatch MAY include:

+ 
+                {
+                  'expected-hostname': 'gmail.com',
+                  'certificate-hostname': 'evil.example.org',
+                }
+
+ +
+
debug-message (s)
+
Debugging information on the error, corresponding to the + message part of a D-Bus error message, which SHOULD NOT be + displayed to users under normal circumstances
+
+

+ + + + The possible states for a - +

If the State is Rejected, - the reason why the certificate was rejected; this MAY correspond to - the RejectReason, or MAY be a more - specific D-Bus error name, perhaps implementation-specific.

+ an array of TLS_Certificate_Rejection + structures containing the reason why the certificate is rejected.

If the State is not Rejected, this property is not meaningful, and SHOULD be set to an empty - string.

- - - - - -

If the State is Rejected, - additional information about why the certificate was rejected.

-

If the State is not Rejected, - this property is not meaningful and SHOULD be set to an empty - map.

-

The additional information MAY also include - one or more of the following well-known keys:

-
-
user-requested (b)
-
True if the error was due to an user-requested rejection of - the certificate; False if there was an unrecoverable error in the - verification process.
-
expected-hostname (s)
-
If the rejection reason is Hostname_Mismatch, the hostname that - the server certificate was expected to have.
-
certificate-hostname (s)
-
If the rejection reason is Hostname_Mismatch, the hostname of - the certificate that was presented. - -

For instance, if you try to connect to gmail.com but are presented - with a TLS certificate issued to evil.example.org, the error details - for Hostname_Mismatch MAY include:

- 
-              {
-                'expected-hostname': 'gmail.com',
-                'certificate-hostname': 'evil.example.org',
-              }
-
- -
-
debug-message (s)
-
Debugging information on the error, corresponding to the - message part of a D-Bus error message, which SHOULD NOT be - displayed to users under normal circumstances
-
- - - - - - If the State is Rejected, the - reason why the certificate was rejected. - - Clients that do not understand the RejectError, - which may be implementation-specific, can use this property to - classify rejection reasons into common categories. - - Otherwise, this property is not meaningful, and SHOULD be set to - Unknown. + array.

+

The first rejection in the list MAY be assumed to be + the most important; if the array contains more than one + element, the CM MAY either use the values after the first, + or ignore them.

 @@ -252,19 +267,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. The State of this certificate has changed to Rejected. - - - The new value of RejectReason. - - - - - The new value of RejectError. - - - + - The new value of RejectDetails + The new value of the Rejections property. @@ -279,22 +284,10 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Rejects this certificate. - - - The new value of RejectReason. - - - - - The new value of RejectError. - - - + - The new value of RejectDetails. + The new value of the Rejections property. -- cgit v1.2.3