Re: Testing and certificates from James Graham on 2013-10-11 (public-test-infra@w3.org from October to December 2013)

From: James Graham <james@hoppipolla.co.uk>
Date: Fri, 11 Oct 2013 16:05:02 +0100
To: public-test-infra@w3.org
Message-ID: <5258139E.7060004@hoppipolla.co.uk>

On 11/10/13 15:46, Robin Berjon wrote:
> On 11/10/2013 15:08 , James Graham wrote:
>> 3) Is hard. The options are "make the user add a fake CA in their
>> browser" (extreme badness), "make the test environment setup
>> browser-specific so that we can act like the automation case above"
>> (i.e, for each "supported" browser have the test environment setup
>> launch that browser with the CA trusted for that session only, and force
>> people to use that instance for testing), which is several other kinds
>> of badness since it forces browser-specific code into web-platform-tests
>> and rquires the user to carefully follow instructions, and "don't
>> support ssl-requiring tests in this scenario", which makes developing
>> tests and casually running specific tests hard.
>
> I haven't thought this through and I'm multitasking with a conference so
> it might be a daft idea; but on the off chance that we could make it
> work, I'll dump it here.
>
> Adding a specific local hostname on individual machines is pretty easy
> on Unix-ish OSes (including Macs) and ISTR not much harder — possibly
> similar — on Windows. It's just a matter of adding a line to /etc/hosts,
> and the only difficulty is that it requires admin privileges (which you
> need to test against canonical Web ports anyway). We could have wptserve
> just add it on start (if it isn't there).
>
> If we managed that, could we not simply decide that there is a canonical
> hostname for the tests when run on individual boxes, and have wptserve
> use a specific cert for that? Distributing the cert would allow anyone
> to impersonate that domain, but if we only use it for that it oughtn't
> be a problem. I wonder if we can push it so far as to get a cert for
> something that wouldn't be otherwise resolvable anyway, say "web.tests".
>
> It's not impossible that I may be missing a key ingredient though.
>

So I think the hostname part is necessary anyway. It turns out that 
"localhost" is a magic name in some browsers so tests that would 
otherwise pass instead fail. So I have been using web-platform.tests as 
the hostname, set up in /etc/hosts (but running on a non-default port).

I don't really know how you would get a certificate for such a hostname 
though. A self-signed cert. isn't good enough since browsers will 
complain about it. I assume no CA will actually sign such a cert. 
(additionally, the name is theoretically resolvable; someone could pay 
for the .test tld. Hopefully that's not a big risk, but it's hard to know).

Received on Friday, 11 October 2013 15:05:26 UTC