Re: draft comment: mobileOK & https

Thomas Roessler wrote:
> I propose to send this comment on behalf of the Web Security Context
> Working Group.  Please let me know within 48h whether you object.
>
> Luis, Jan Vidar: I'd like an exlicit thumbs-up from each of you.

My thumb is up.

-janvidar


> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
>
> ----- Forwarded message from Thomas Roessler <tlr@w3.org> -----
>
> From: Thomas Roessler <tlr@w3.org>
> To: dom@w3.org, public-bpwg-comments@w3.org
> Cc: public-wsc-wg@w3.org
> Subject: mobile OK tests: HTTPS considerations
> Bcc: roessler@does-not-exist.org
>
> Hello,
>
> this is a post last call comment concerning the mobile OK basic
> tests 1.0, on behalf of the Web Security Context Working Group.
>
> We notice that section 2.4.3 - HTTP Response - uses the notion of an
> "HTTPS response".  There is no such thing.
>
> We also notice that the notion of an "invalid certificate" does not
> match what we understand to be the Best Practice Working Group's
> intention with this test.
>
> We propose that you update this criterion, at a minimum, as follows:
>
>   If the resource is accessed through HTTPS:
>     If the certificate presented does not match the
>         resource's URI, FAIL.
>
>     If the certificate has expired or is not yet valid, warn.
>
>     If certificate validation otherwise fails, FAIL.
>
>     Checker SHOULD consider arbitrary root certificates (including
>     self-signed certificates) as trusted for the purposes of
>     mobileOK testing.
>
> Note that there are additional error conditions that can occur
> during TLS negotiation, including a mismatch on supported algorithms
> and protocol versions.
>
> Regards,



-- 
Jan Vidar Krey
Unix Software Engineer
B2B Chief Security Officer

Opera Software ASA
tel: +47 24164287 (work) / +47 98607328 (mobile)

Parkinson's Fifth Law:
	If there is a way to delay in important decision, the good
	bureaucracy, public or private, will find it.

Received on Wednesday, 27 August 2008 16:47:58 UTC