W3C home > Mailing lists > Public > public-bpwg@w3.org > September 2008

Re: ACTION-841 Rework text referring to invalid certificate in mobileOK Basic Tests

From: Francois Daoust <fd@w3.org>
Date: Fri, 19 Sep 2008 15:55:11 +0200
Message-ID: <48D3AF3F.30501@w3.org>
To: Jo Rabin <jrabin@mtld.mobi>
CC: public-bpwg <public-bpwg@w3.org>

We haven't resolved anything on that and I haven't seen any reaction to 
the proposal.

It does look fine as far as I'm concerned (but I'm no security expert) 
and addresses the Web Security Context concerns. Thanks for reviewing 
this very carefully.

Jo, may I suggest that you prepare version 1zs of mobileOK Basic Tests 
for next call based on this change so that we can resolve on next call 
to move forward with this very last final version and reply to Thomas?

Francois.


Jo Rabin wrote:
> 
> WSC Proposal:
> 
> We propose that you update this criterion, at a minimum, as follows:
> 
> If the resource is accessed through HTTPS:
> 
>     If the certificate presented does not match the
>         resource's URI, FAIL.
> 
>     If the certificate has expired or is not yet valid, warn.
> 
>     If certificate validation otherwise fails, FAIL.
>     
>     Checker SHOULD consider arbitrary root certificates (including
>     self-signed certificates) as trusted for the purposes of
>     mobileOK testing.
> 
> =====
> 
> Current Text:
> 
> Note:
> 
> To allow for self-signature of certificates during testing the signatory
> of a certificate should not be checked.
> 
> 
> ...
> 
> 
> If the response is an HTTPS response:
> 
>     If the certificate is invalid, FAIL
> 
>     If the certificate has expired, warn
> 
> 
> 
> =====
> 
> Proposed replacement text:
> 
> Note:
> 
> Arbitrary root certificates (including self-signed certificates) should
> be regarded as trusted.
> 
> 
> ...
> 
> If the response is the result of a request for a URI which has the
> scheme https:
> 
>     If the certificate presented does not match the
>         requested URI, FAIL.
> 
>     If the certificate has expired or is not yet valid, warn.
> 
>     If certificate validation otherwise fails, FAIL.
>     
> 
> 
> 
> 
Received on Friday, 19 September 2008 13:55:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:09:52 UTC