Re: ACTION-841 Rework text referring to invalid certificate in mobileOK Basic Tests from Jo Rabin on 2008-09-19 (public-bpwg@w3.org from September 2008)

From: Jo Rabin <jrabin@mtld.mobi>
Date: Fri, 19 Sep 2008 17:43:34 +0100
To: Francois Daoust <fd@w3.org>
CC: public-bpwg <public-bpwg@w3.org>
Message-ID: <48D3D6B6.7040703@mtld.mobi>

 > Jo, may I suggest that you prepare version 1zs of mobileOK Basic Tests
 > for next call based on this change so that we can resolve on next call
 > to move forward with this very last final version and reply to Thomas?

Yes, It didn't get picked up on the last call, but we deferred making a 
resolution till people had had the time to consider it. I guess it might 
be worth sending the proposed text to the commenter before committing 
virtual pen to virtual paper for a new draft?

Jo

On 19/09/2008 14:55, Francois Daoust wrote:
> We haven't resolved anything on that and I haven't seen any reaction to 
> the proposal.
> 
> It does look fine as far as I'm concerned (but I'm no security expert) 
> and addresses the Web Security Context concerns. Thanks for reviewing 
> this very carefully.
> 
> Jo, may I suggest that you prepare version 1zs of mobileOK Basic Tests 
> for next call based on this change so that we can resolve on next call 
> to move forward with this very last final version and reply to Thomas?
> 
> Francois.
> 
> 
> Jo Rabin wrote:
>>
>> WSC Proposal:
>>
>> We propose that you update this criterion, at a minimum, as follows:
>>
>> If the resource is accessed through HTTPS:
>>
>>     If the certificate presented does not match the
>>         resource's URI, FAIL.
>>
>>     If the certificate has expired or is not yet valid, warn.
>>
>>     If certificate validation otherwise fails, FAIL.
>>         Checker SHOULD consider arbitrary root certificates (including
>>     self-signed certificates) as trusted for the purposes of
>>     mobileOK testing.
>>
>> =====
>>
>> Current Text:
>>
>> Note:
>>
>> To allow for self-signature of certificates during testing the signatory
>> of a certificate should not be checked.
>>
>>
>> ...
>>
>>
>> If the response is an HTTPS response:
>>
>>     If the certificate is invalid, FAIL
>>
>>     If the certificate has expired, warn
>>
>>
>>
>> =====
>>
>> Proposed replacement text:
>>
>> Note:
>>
>> Arbitrary root certificates (including self-signed certificates) should
>> be regarded as trusted.
>>
>>
>> ...
>>
>> If the response is the result of a request for a URI which has the
>> scheme https:
>>
>>     If the certificate presented does not match the
>>         requested URI, FAIL.
>>
>>     If the certificate has expired or is not yet valid, warn.
>>
>>     If certificate validation otherwise fails, FAIL.
>>    
>>
>>
>>

Received on Friday, 19 September 2008 16:44:44 UTC