- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 27 Aug 2008 18:40:15 +0200
- To: luis.barriga@ericsson.com, janv@opera.com
- Cc: public-wsc-wg@w3.org
I propose to send this comment on behalf of the Web Security Context
Working Group. Please let me know within 48h whether you object.
Luis, Jan Vidar: I'd like an exlicit thumbs-up from each of you.
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
----- Forwarded message from Thomas Roessler <tlr@w3.org> -----
From: Thomas Roessler <tlr@w3.org>
To: dom@w3.org, public-bpwg-comments@w3.org
Cc: public-wsc-wg@w3.org
Subject: mobile OK tests: HTTPS considerations
Bcc: roessler@does-not-exist.org
Hello,
this is a post last call comment concerning the mobile OK basic
tests 1.0, on behalf of the Web Security Context Working Group.
We notice that section 2.4.3 - HTTP Response - uses the notion of an
"HTTPS response". There is no such thing.
We also notice that the notion of an "invalid certificate" does not
match what we understand to be the Best Practice Working Group's
intention with this test.
We propose that you update this criterion, at a minimum, as follows:
If the resource is accessed through HTTPS:
If the certificate presented does not match the
resource's URI, FAIL.
If the certificate has expired or is not yet valid, warn.
If certificate validation otherwise fails, FAIL.
Checker SHOULD consider arbitrary root certificates (including
self-signed certificates) as trusted for the purposes of
mobileOK testing.
Note that there are additional error conditions that can occur
during TLS negotiation, including a mismatch on supported algorithms
and protocol versions.
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
----- End forwarded message -----
Received on Wednesday, 27 August 2008 16:41:19 UTC