Re: Some major edits just checked in. - tls errors from Mary Ellen Zurko on 2008-04-25 (public-wsc-wg@w3.org from April 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 25 Apr 2008 13:17:46 -0400
To: Serge Egelman <egelman@cs.cmu.edu>
Cc: public-wsc-wg@w3.org
Message-ID: <OFFCFF7472.31F0FD5E-ON85257436.005EEE06-85257436.005F023A@LocalDomain>

OK, when Serge, Yngve, Thomas and I agree, it must be the right thing. 

I'm going to claim consensus. I'll create an Issue. Anil or Thomas, let me 
know if you want an action (and if you do, the due date :-). 

From:
Serge Egelman <egelman@cs.cmu.edu>
To:
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Cc:
Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, Thomas Roessler 
<tlr@w3.org>, public-wsc-wg@w3.org
Date:
04/25/2008 12:15 PM
Subject:
Re: Some major edits just checked in. - tls errors

I concur.  A name mismatch is probably the most severe warning (besides 
a revoked certificate), so this should probably correspond to the 
highest level (i.e. "danger").

serge

Yngve N. Pettersen (Developer Opera Software ASA) wrote:
> 
> On Thu, 24 Apr 2008 22:49:20 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
> 
>>> > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
>>> >
>>> > "When the URL corresponding to the transaction at hand does not 
match
>> the
>>> > certificate presented, and a validated certificate is used, then 
error
>>> > signalling of level warning or above (6.4.3 Warning/Caution Messages 
,
>>> > 6.4.4 Danger Messages) MUST be used."
>>> >
>>> > This one seems like a low ball to me. The whole point of the TLS
>> server
>>> > authentication is to match the certificate to the URL. Why is the 
low
>> bar
>>> > on this warning, instead of always danger?
>>
>>> I think I took this from Serge's material; personally, I'd be as
>>> happy to use danger right away.
>>
>> Only you and I seem to care. Willing to make the change? Or should I 
put
>> it in as an issue?
> 
> 
> I am fine with escalating severity on this type of problems.
> 
> When there is a servername mismatch Opera's warning cautions that 
> somebody may be trying to listen in on the connection. Actually blocking 

> the resource would IMO be preferable.
> 
> 
> 
> --Sincerely,
> Yngve N. Pettersen
> 
> ********************************************************************
> Senior Developer                     Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
> 
> 

-- 
/*
PhD Candidate
Carnegie Mellon University

"Whoever said there's no such thing as a free lunch was never a grad 
student."

All views contained in this message, either expressed or implied, are 
the views of my employer, and not my own.
*/

Received on Friday, 25 April 2008 17:18:47 UTC