Re:draft comment: mobileOK & https from Luis Barriga on 2008-08-28 (public-wsc-wg@w3.org from August 2008)

From: Luis Barriga <luis.barriga@ericsson.com>
Date: Thu, 28 Aug 2008 11:40:24 +0200
To: "Thomas Roessler" <tlr@w3.org>
Cc: "Luis Barriga" <luis.barriga@ericsson.com>, <janv@opera.com>, <public-wsc-wg@w3.org>
Message-ID: <1C6A13C92F510849B72272A71F9F3BCB0F900E@esealmw105.eemea.ericsson.se>

I agree with the feedback.
One question. The document states that Basic and Digest MUST  be implemented. Shouldn't we comment that Basic is not recommend or that if implemented it MUST be over HTTPS?
/Luis

---original e-mail---
Sender: "Thomas Roessler" <tlr@w3.org>
Send to: "luis.barriga@ericsson.com" <luis.barriga@ericsson.com>, "janv@opera.com" <janv@opera.com>
Sent time: 27.08.2008 18:40
Subject: draft comment: mobileOK & https

I propose to send this comment on behalf of the Web Security Context
Working Group.  Please let me know within 48h whether you object.

Luis, Jan Vidar: I'd like an exlicit thumbs-up from each of you.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>






----- Forwarded message from Thomas Roessler <tlr@w3.org> -----

From: Thomas Roessler <tlr@w3.org>
To: dom@w3.org, public-bpwg-comments@w3.org
Cc: public-wsc-wg@w3.org
Subject: mobile OK tests: HTTPS considerations
Bcc: roessler@does-not-exist.org

Hello,

this is a post last call comment concerning the mobile OK basic
tests 1.0, on behalf of the Web Security Context Working Group.

We notice that section 2.4.3 - HTTP Response - uses the notion of an
"HTTPS response".  There is no such thing.

We also notice that the notion of an "invalid certificate" does not
match what we understand to be the Best Practice Working Group's
intention with this test.

We propose that you update this criterion, at a minimum, as follows:

  If the resource is accessed through HTTPS:      
    If the certificate presented does not match the
        resource's URI, FAIL.

    If the certificate has expired or is not yet valid, warn.

    If certificate validation otherwise fails, FAIL.

    Checker SHOULD consider arbitrary root certificates (including
    self-signed certificates) as trusted for the purposes of
    mobileOK testing.

Note that there are additional error conditions that can occur
during TLS negotiation, including a mismatch on supported algorithms
and protocol versions.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

----- End forwarded message -----

Received on Thursday, 28 August 2008 09:41:03 UTC