- From: Anil Saldhana <Anil.Saldhana@redhat.com>
- Date: Tue, 25 Sep 2007 15:41:05 -0500
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
That section has been authored by tlr. He will be best to clarify/clean up the section. michael.mccormick@wellsfargo.com wrote: > Thank you Anil. I feel the updated sections 5.3 and 5.3.1 faithfully > capture the spirit & intent of the "McCormick Principles". Why is 5.3.1 > non-normative? > > Normative section 5.3.2 OTOH is a specific agent requirement > (redirection based on server certificate subject) that goes beyond > anything I had proposed. If I interpret 5.3.2 correctly, it says when > Alice types the URL "https://www.Bob.com" in her browser, but the > browser encounters a server SSL certificate with a subject DN of > "www.Carol.com", then Alice's browser would be silently redirected to > URL "https://www.Carol.com". This seems to create a new attack vector > for Carol to divert https traffic from Bob's site to her own, without > Alice being informed unless she happens to notice the change on her > location bar. Hopefully I misunderstood. > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > On Behalf Of Anil Saldhana > Sent: Monday, September 24, 2007 10:55 PM > To: public-wsc-wg@w3.org > Subject: Re: Section 5.3: Mike McCormick's General Principals (Error > Signaling) > > > Mike, > I have incorporated your general principles into the current draft. > Can you take a look and tell me if I am missing something that you deem > important? > http://www.w3.org/2006/WSC/drafts/rec/rewrite.xml > > Regards, > Anil > > michael.mccormick@wellsfargo.com wrote: > >> That's it! Thanks, Mike >> >> -----Original Message----- >> From: public-wsc-wg-request@w3.org >> [mailto:public-wsc-wg-request@w3.org] >> On Behalf Of Anil Saldhana >> Sent: Friday, September 21, 2007 9:35 AM >> To: public-wsc-wg@w3.org >> Subject: Section 5.3: Mike McCormick's General Principals (Error >> Signaling) >> >> >> Mike, >> I have an action item on incorporating your general principals on >> error signaling. >> >> The action item is: ACTION-292 >> >> I want to confirm that your work on this is here: >> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/CertErr >> >> (artifact of ACTION-210) >> >> Apart from this, anywhere else I need to look for? >> >> Regards, >> Anil >> >> >> >> > > -- > Anil Saldhana > Project/Technical Lead, > JBoss Security & Identity Management > JBoss, A division of Red Hat Inc. > http://labs.jboss.com/portal/jbosssecurity/ > > > > -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Tuesday, 25 September 2007 20:41:25 UTC