W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: FW: .safe TLD idea from ICANN

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Mon, 16 Apr 2007 14:53:19 +0200
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "<michael.mccormick" <michael.mccormick@wellsfargo.com>
Cc: public-wsc-wg@w3.org
Message-ID: <op.tqvne5o6vqd7e2@killashandra-ii.oslo.opera.com>

On Mon, 16 Apr 2007 14:27:36 +0200, Mary Ellen Zurko  
<Mary_Ellen_Zurko@notesdev.ibm.com> wrote:

> Which reminds me of an error I was a bit suprised at (though not on
> reflection). I typed in my bank's home page with https, but with .com
> (it's really a .org). So I got an SSL error telling me "the name on the
> security certificate is invalid or does not match the name of the site".
> Neither of which is quite accurate. The cert matches the site that is
> being brought up; I'm just being redirected because I made a common
> mistake. So, oddly, won't all those users used to typing .com get SSL
> errors when redirected to .safe (if https is specified)?

The client is required, by RFC 2818, to check the HTTP hostname agains the  
name(s) of the server in the certificate and warn the user if they do not  
match.

A certificate can contain multiple hostnames through an extension, or by  
using a wildcard syntax. Such certificates tend to be more expensive  
though.

The common mistake is to assign the same IP address to the aliases of a  
hostname, but forget to make the certificate name all the alternative  
hostnames.

The TLS ServerName extension (supported by Opera 9) will eventually  
provide a better method for handling multiple identity servers.

I think the impact of mistakes such as the one Mez made is going to be  
limited, since most average users do not specify the https part.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer		             Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Monday, 16 April 2007 12:57:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT