- From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
- Date: Thu, 24 Apr 2008 23:02:37 +0200
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Thomas Roessler" <tlr@w3.org>
- Cc: public-wsc-wg@w3.org
On Thu, 24 Apr 2008 22:49:20 +0200, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: >> > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors >> > >> > "When the URL corresponding to the transaction at hand does not match > the >> > certificate presented, and a validated certificate is used, then error >> > signalling of level warning or above (6.4.3 Warning/Caution Messages , >> > 6.4.4 Danger Messages) MUST be used." >> > >> > This one seems like a low ball to me. The whole point of the TLS > server >> > authentication is to match the certificate to the URL. Why is the low > bar >> > on this warning, instead of always danger? > >> I think I took this from Serge's material; personally, I'd be as >> happy to use danger right away. > > Only you and I seem to care. Willing to make the change? Or should I put > it in as an issue? I am fine with escalating severity on this type of problems. When there is a servername mismatch Opera's warning cautions that somebody may be trying to listen in on the connection. Actually blocking the resource would IMO be preferable. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Thursday, 24 April 2008 21:03:31 UTC