- From: Francois Daoust <fd@w3.org>
- Date: Fri, 19 Sep 2008 16:33:37 +0200
- To: public-mobileok-checker <public-mobileok-checker@w3.org>
Hi, I created a new bug on certificate validation, where the checker only returns a WARN message instead of a FAIL (if I'm correct, that is, I haven't had the time to play with SSL certificates): http://www.w3.org/Bugs/Public/show_bug.cgi?id=6096 Per Jo's proposal, following the post-last-call comment from the Web Security Context working group, two changes need to be introduced in the way HTTPS responses are checked by the checker: 1/ arbitrary root certificates should not trigger any error. Actually, I wonder if the recursive search for self-signed certificates we already have is not enough. Is it? 2/ the certificate should be checked against the host name of the requested URI. AFAICT, this is simply not done or at least not caught. Any thoughts? Francois.
Received on Friday, 19 September 2008 14:34:10 UTC