Re: ACTION-841 Rework text referring to invalid certificate in mobileOK Basic Tests from Francois Daoust on 2008-09-19 (public-bpwg@w3.org from September 2008)

From: Francois Daoust <fd@w3.org>
Date: Fri, 19 Sep 2008 19:10:57 +0200
To: Jo Rabin <jrabin@mtld.mobi>
CC: public-bpwg <public-bpwg@w3.org>
Message-ID: <48D3DD21.4040402@w3.org>

Jo Rabin wrote:
>>  Jo, may I suggest that you prepare version 1zs of mobileOK Basic Tests
>>  for next call based on this change so that we can resolve on next call
>>  to move forward with this very last final version and reply to Thomas?
> 
> Yes, It didn't get picked up on the last call, but we deferred making a 
> resolution till people had had the time to consider it. I guess it might 
> be worth sending the proposed text to the commenter before committing 
> virtual pen to virtual paper for a new draft?

Given the apparent lack of reaction within the working group in support 
of or against the proposed text, it seems reasonable to get the Web 
Security Context Working Group's approval. So "I don't disagree". I 
suppose you prefer to do it yourself, but feel free to action me if not!

Francois.


> 
> Jo
> 
> On 19/09/2008 14:55, Francois Daoust wrote:
>> We haven't resolved anything on that and I haven't seen any reaction 
>> to the proposal.
>>
>> It does look fine as far as I'm concerned (but I'm no security expert) 
>> and addresses the Web Security Context concerns. Thanks for reviewing 
>> this very carefully.
>>
>> Jo, may I suggest that you prepare version 1zs of mobileOK Basic Tests 
>> for next call based on this change so that we can resolve on next call 
>> to move forward with this very last final version and reply to Thomas?
>>
>> Francois.
>>
>>
>> Jo Rabin wrote:
>>>
>>> WSC Proposal:
>>>
>>> We propose that you update this criterion, at a minimum, as follows:
>>>
>>> If the resource is accessed through HTTPS:
>>>
>>>     If the certificate presented does not match the
>>>         resource's URI, FAIL.
>>>
>>>     If the certificate has expired or is not yet valid, warn.
>>>
>>>     If certificate validation otherwise fails, FAIL.
>>>         Checker SHOULD consider arbitrary root certificates (including
>>>     self-signed certificates) as trusted for the purposes of
>>>     mobileOK testing.
>>>
>>> =====
>>>
>>> Current Text:
>>>
>>> Note:
>>>
>>> To allow for self-signature of certificates during testing the signatory
>>> of a certificate should not be checked.
>>>
>>>
>>> ...
>>>
>>>
>>> If the response is an HTTPS response:
>>>
>>>     If the certificate is invalid, FAIL
>>>
>>>     If the certificate has expired, warn
>>>
>>>
>>>
>>> =====
>>>
>>> Proposed replacement text:
>>>
>>> Note:
>>>
>>> Arbitrary root certificates (including self-signed certificates) should
>>> be regarded as trusted.
>>>
>>>
>>> ...
>>>
>>> If the response is the result of a request for a URI which has the
>>> scheme https:
>>>
>>>     If the certificate presented does not match the
>>>         requested URI, FAIL.
>>>
>>>     If the certificate has expired or is not yet valid, warn.
>>>
>>>     If certificate validation otherwise fails, FAIL.
>>>   
>>>
>>>
>

Received on Friday, 19 September 2008 17:11:41 UTC