- From: Francois Daoust <fd@w3.org>
- Date: Fri, 19 Sep 2008 15:55:11 +0200
- To: Jo Rabin <jrabin@mtld.mobi>
- CC: public-bpwg <public-bpwg@w3.org>
We haven't resolved anything on that and I haven't seen any reaction to the proposal. It does look fine as far as I'm concerned (but I'm no security expert) and addresses the Web Security Context concerns. Thanks for reviewing this very carefully. Jo, may I suggest that you prepare version 1zs of mobileOK Basic Tests for next call based on this change so that we can resolve on next call to move forward with this very last final version and reply to Thomas? Francois. Jo Rabin wrote: > > WSC Proposal: > > We propose that you update this criterion, at a minimum, as follows: > > If the resource is accessed through HTTPS: > > If the certificate presented does not match the > resource's URI, FAIL. > > If the certificate has expired or is not yet valid, warn. > > If certificate validation otherwise fails, FAIL. > > Checker SHOULD consider arbitrary root certificates (including > self-signed certificates) as trusted for the purposes of > mobileOK testing. > > ===== > > Current Text: > > Note: > > To allow for self-signature of certificates during testing the signatory > of a certificate should not be checked. > > > ... > > > If the response is an HTTPS response: > > If the certificate is invalid, FAIL > > If the certificate has expired, warn > > > > ===== > > Proposed replacement text: > > Note: > > Arbitrary root certificates (including self-signed certificates) should > be regarded as trusted. > > > ... > > If the response is the result of a request for a URI which has the > scheme https: > > If the certificate presented does not match the > requested URI, FAIL. > > If the certificate has expired or is not yet valid, warn. > > If certificate validation otherwise fails, FAIL. > > > > >
Received on Friday, 19 September 2008 13:55:51 UTC