summaryrefslogtreecommitdiff
path: root/pages
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2015-08-19 11:20:52 -0700
committerelijah <elijah@riseup.net>2015-08-19 11:20:52 -0700
commit5a73dafedfbbeb17a82e70801e32e925fb6932d5 (patch)
treea26878f123d576dc11df5a49cec74462e914e839 /pages
parentd90e0fe0aef5e1254892f1799b8c77920ac97467 (diff)
bonafide clarification
Diffstat (limited to 'pages')
-rw-r--r--pages/docs/design/bonafide.text6
1 files changed, 3 insertions, 3 deletions
diff --git a/pages/docs/design/bonafide.text b/pages/docs/design/bonafide.text
index 69f15b5..693bba6 100644
--- a/pages/docs/design/bonafide.text
+++ b/pages/docs/design/bonafide.text
@@ -90,15 +90,15 @@ This file defines the "encrypted internet proxy" capabilities and gateways. The
h2. Provider Keys
-h3. GET ca_cert_uri
+h3. GET $ca_cert_uri
e.g. [[https://demo.bitmask.net/ca.crt]]
The value for @ca_cert_uri@ is contained in @provider.json@.
-This request returns the file @ca.crt@, the provider's self-signed CA certificate. *Every* TLS connection with the provider API is validated using this CA certificate. The one exception is when the client is downloading @ca_cert_uri@ for the first time AND when @ca_cert_uri@ specifies an API URL.
+This request returns the file @ca.crt@, the provider's self-signed CA certificate.
-After this file is downloaded, it's fingerprint MUST be checked against the value @ca_cert_fingerprint@ in @provider.json@.
+If @ca_cert_uri@ specifies an HTTPS connection, the client must allow TLS connections even if the authenticity of the server certificate cannot be established. This is the only request where the authenticity of the TLS certificate can (and should) be ignored. Instead, after this file is downloaded, it's fingerprint MUST be checked against the value @ca_cert_fingerprint@ in @provider.json@.
h1. REST API