- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 27 Sep 2007 08:09:02 -0700
- To: michael.mccormick@wellsfargo.com
- Cc: Anil.Saldhana@redhat.com, public-wsc-wg@w3.org
On 2007-09-25 14:34:24 -0500, michael.mccormick@wellsfargo.com wrote: > Normative section 5.3.2 OTOH is a specific agent requirement > (redirection based on server certificate subject) that goes > beyond anything I had proposed. Correct. > If I interpret 5.3.2 correctly, it says when Alice types the URL > "https://www.Bob.com" in her browser, but the browser encounters > a server SSL certificate with a subject DN of "www.Carol.com", > then Alice's browser would be silently redirected to URL > "https://www.Carol.com". This seems to create a new attack > vector for Carol to divert https traffic from Bob's site to her > own, without Alice being informed unless she happens to notice > the change on her location bar. Hopefully I misunderstood. Your reading suggests a need for clarifying the language in that section. The idea is that, if there's a reasonably strong SSL certificate in place, Alice be offered the possibility to navigate to Carol, by way of an error page. A quick mock-up (as good as that's possible in text/plain ;-): You tried to navigate to www.bob.com. That site could not be reached. Instead, you were connected to a site of Foobar Industries. [ Go back ] [ Take me to Foobar Industries ] Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Thursday, 27 September 2007 15:26:25 UTC