W3C home > Mailing lists > Public > public-wsc-wg@w3.org > August 2008

Needs urgent review: mobileOK tests on HTTPS

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 13 Aug 2008 22:59:34 +0200
To: public-wsc-wg@w3.org, luis.barriga@ericsson.com, janv@opera.com
Cc: dom@w3.org
Message-ID: <20080813205934.GL383@iCoaster.does-not-exist.org>

Hello,

it came to my attention today that the mobileOK Basic Tests 1.0
Working Draft (in fact, their fourth Last Call WD, which ended in
late June) includes test requirements for the deployment of HTTPS on
mobile sites.

  http://www.w3.org/TR/mobileOK-basic10-tests/#http_response

There are two pieces to this:


1. Trusted CAs and Self-Signed Certificates

>To allow for self-signature of certificates during testing the
>signatory of a certificate should not be checked."

I understand this to be a requirement for the checker; it means that
use of a self-signed certificate [or of certificates from arbitrary
CAs] is deemed to lead to an acceptable user experience on a mobile
device.  I'm copying Dominique Hazael-Massieux, the Team Contact for
that Working Group; Dom, please clarify further if I got this wrong.

If there is any comment that the Working Group wants to make on this
choice, then some input on that would be useful.


2. TLS related errors

>If the response is an HTTPS response:
>  If the certificate is invalid, FAIL
>  If the certificate has expired, warn

I understand that this is meant to say that, if the URI that is
dereferenced does not match the certificate, then the test should
FAIL, and if the certificate has expired, there should be a warning.
Other error conditions are not considered.  I understand the
motivation to be the user experience on mobile devices.

My reaction would be that this text should at the very least be
clarified to say:

  If the resource is accessed through HTTPS:
    If the certificate presented does not match the resource's URI,
      FAIL.
    If the certificate has expired, warn.
    If certificate validation otherwise fails, FAIL.
  
  Checkers should consider arbitrary root certificates (including
  self-signed certificates) as valid.

If there are any additional comments that the Working Group wants to
make on the underlying design choices, then input would again be
most useful.


I'll plan to have a draft comment ready in time for our call next
week.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 13 August 2008 21:00:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 13 August 2008 21:00:11 GMT