W3C home > Mailing lists > Public > public-bpwg-comments@w3.org > July to September 2008

mobile OK tests: HTTPS considerations

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 29 Aug 2008 11:01:27 +0200
To: dom@w3.org, public-bpwg-comments@w3.org
Cc: public-wsc-wg@w3.org
Message-ID: <20080829090127.GA224@iCoaster.does-not-exist.org>

Hello,

this is a post last call comment concerning the mobile OK basic
tests 1.0, on behalf of the Web Security Context Working Group.

We notice that section 2.4.3 - HTTP Response - uses the notion of an
"HTTPS response".  There is no such thing.

We also notice that the notion of an "invalid certificate" does not
match what we understand to be the Best Practice Working Group's
intention with this test.

We propose that you update this criterion, at a minimum, as follows:

  If the resource is accessed through HTTPS:      
    If the certificate presented does not match the
        resource's URI, FAIL.

    If the certificate has expired or is not yet valid, warn.

    If certificate validation otherwise fails, FAIL.

    Checker SHOULD consider arbitrary root certificates (including
    self-signed certificates) as trusted for the purposes of
    mobileOK testing.

Note that there are additional error conditions that can occur
during TLS negotiation, including a mismatch on supported algorithms
and protocol versions.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Friday, 29 August 2008 09:05:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 15 June 2012 12:13:31 GMT