Re: Some major edits just checked in. - tls errors from Serge Egelman on 2008-04-25 (public-wsc-wg@w3.org from April 2008)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Fri, 25 Apr 2008 11:13:32 -0400
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
CC: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, Thomas Roessler <tlr@w3.org>, public-wsc-wg@w3.org
Message-ID: <4811F51C.5030608@cs.cmu.edu>

I concur.  A name mismatch is probably the most severe warning (besides 
a revoked certificate), so this should probably correspond to the 
highest level (i.e. "danger").

serge

Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> 
> On Thu, 24 Apr 2008 22:49:20 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
> 
>>> > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
>>> >
>>> > "When the URL corresponding to the transaction at hand does not match
>> the
>>> > certificate presented, and a validated certificate is used, then error
>>> > signalling of level warning or above (6.4.3 Warning/Caution Messages ,
>>> > 6.4.4 Danger Messages) MUST be used."
>>> >
>>> > This one seems like a low ball to me. The whole point of the TLS
>> server
>>> > authentication is to match the certificate to the URL. Why is the low
>> bar
>>> > on this warning, instead of always danger?
>>
>>> I think I took this from Serge's material; personally, I'd be as
>>> happy to use danger right away.
>>
>> Only you and I seem to care. Willing to make the change? Or should I put
>> it in as an issue?
> 
> 
> I am fine with escalating severity on this type of problems.
> 
> When there is a servername mismatch Opera's warning cautions that 
> somebody may be trying to listen in on the connection. Actually blocking 
> the resource would IMO be preferable.
> 
> 
> 
> --Sincerely,
> Yngve N. Pettersen
>  
> ********************************************************************
> Senior Developer                     Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
> 
> 

-- 
/*
PhD Candidate
Carnegie Mellon University

"Whoever said there's no such thing as a free lunch was never a grad 
student."

All views contained in this message, either expressed or implied, are 
the views of my employer, and not my own.
*/

Received on Friday, 25 April 2008 15:14:44 UTC