From 5a73dafedfbbeb17a82e70801e32e925fb6932d5 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 19 Aug 2015 11:20:52 -0700 Subject: bonafide clarification --- pages/docs/design/bonafide.text | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'pages') diff --git a/pages/docs/design/bonafide.text b/pages/docs/design/bonafide.text index 69f15b5..693bba6 100644 --- a/pages/docs/design/bonafide.text +++ b/pages/docs/design/bonafide.text @@ -90,15 +90,15 @@ This file defines the "encrypted internet proxy" capabilities and gateways. The h2. Provider Keys -h3. GET ca_cert_uri +h3. GET $ca_cert_uri e.g. [[https://demo.bitmask.net/ca.crt]] The value for @ca_cert_uri@ is contained in @provider.json@. -This request returns the file @ca.crt@, the provider's self-signed CA certificate. *Every* TLS connection with the provider API is validated using this CA certificate. The one exception is when the client is downloading @ca_cert_uri@ for the first time AND when @ca_cert_uri@ specifies an API URL. +This request returns the file @ca.crt@, the provider's self-signed CA certificate. -After this file is downloaded, it's fingerprint MUST be checked against the value @ca_cert_fingerprint@ in @provider.json@. +If @ca_cert_uri@ specifies an HTTPS connection, the client must allow TLS connections even if the authenticity of the server certificate cannot be established. This is the only request where the authenticity of the TLS certificate can (and should) be ignored. Instead, after this file is downloaded, it's fingerprint MUST be checked against the value @ca_cert_fingerprint@ in @provider.json@. h1. REST API -- cgit v1.2.3