W3C home > Mailing lists > Public > public-mobileok-checker@w3.org > September 2008

Update on handling HTTPS responses

From: Francois Daoust <fd@w3.org>
Date: Fri, 19 Sep 2008 16:33:37 +0200
Message-ID: <48D3B841.8050803@w3.org>
To: public-mobileok-checker <public-mobileok-checker@w3.org>

Hi,

I created a new bug on certificate validation, where the checker only 
returns a WARN message instead of a FAIL (if I'm correct, that is, I 
haven't had the time to play with SSL certificates):
  http://www.w3.org/Bugs/Public/show_bug.cgi?id=6096

Per Jo's proposal, following the post-last-call comment from the Web 
Security Context working group, two changes need to be introduced in the 
way HTTPS responses are checked by the checker:

1/ arbitrary root certificates should not trigger any error. Actually, I 
wonder if the recursive search for self-signed certificates we already 
have is not enough. Is it?


2/ the certificate should be checked against the host name of the 
requested URI. AFAICT, this is simply not done or at least not caught. 
Any thoughts?

Francois.
Received on Friday, 19 September 2008 14:34:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 19 September 2008 14:34:11 GMT