Edit comment LC-2159 for Mobile Web Best Practices Working Group

Quick access to LC-1978 LC-1979 LC-1980 LC-1981 LC-1991 LC-1992 LC-2159

Comment LC-2159

Comment Shortname:

Commenter: Thomas Roessler <tlr@w3.org> on behalf of Web Security Context Working Group

Message-id:

Section of the document concerned:

[Free text description]Document as a wholeW3C mobileOK Basic Tests 1.0 W3C Working Draft 10 June 2008 Abstract Status of this Document Table of Contents Appendices 1 Introduction 1.1 Levels of mobileOK 1.1.1 mobileOK Basic 1.1.2 mobileOK Pro 1.1.3 Out of Scope 1.1.4 Beyond mobileOK 1.2 Applicability 1.3 Claiming mobileOK conformance 2 Conformance 2.1 Use of Terms must, should etc. 2.2 Validity of the Tests 2.3 Testing Outcomes 2.4 Conduct of Tests 2.4.1 Order of Tests 2.4.2 HTTP Request 2.4.3 HTTP Response 2.4.4 Meta http-equiv Elements 2.4.5 CSS Style 2.4.6 Included Resources 2.4.7 Linked Resources 2.4.8 Validity 2.4.9 White Space 3 mobileOK Basic Tests 3.1 AUTO_REFRESH and REDIRECTION 3.2 CACHING 3.3 CHARACTER_ENCODING_SUPPORT and CHARACTER_ENCODING_USE 3.4 CONTENT_FORMAT_SUPPORT and VALID_MARKUP Note: In the following, an "html document" is a document th... Note: In the following, "regardless of its stated DOCTYPE"... Note: In the following, "a known XHTML version" means XHTML... 3.5 DEFAULT_INPUT_MODE 3.6 EXTERNAL_RESOURCES 3.7 GRAPHICS_FOR_SPACING 3.8 IMAGE_MAPS 3.9 IMAGES_RESIZING and IMAGES_SPECIFY_SIZE 3.10 LINK_TARGET_FORMAT 3.11 MEASURES 3.12 MINIMIZE 3.13 NO_FRAMES 3.14 NON-TEXT_ALTERNATIVES 3.15 OBJECTS_OR_SCRIPT 3.15.1 Object Element Processing Rule 3.16 PAGE_SIZE_LIMIT 3.17 PAGE_TITLE 3.18 POP_UPS 3.19 PROVIDE_DEFAULTS 3.20 STYLE_SHEETS_SUPPORT 3.21 STYLE_SHEETS_USE 3.22 TABLES_ALTERNATIVES 3.23 TABLES_LAYOUT 3.24 TABLES_NESTED A Acknowledgments (Non-Normative) B References (Non-Normative) BestPractices CSS GIF JPEG POWDER RFC 2119 RFC 2616 RFC 2617 Techniques UTF-8 WCAG XHTMLBasic11 XHTMLModularization XML10 XML11 C Relationship between Best Practices and mobileOK Tests (Non-Normative)
or

Refinement of the section concerned:

Status:

open proposal pending resolved_yes resolved_no resolved_partial other assigned to Nobody

Type: substantive editorial typo question general comment undefined

Resolution status:

Response drafted Resolution implemented Reply sent to commenter

Response status:

No response from Commenter yet Commenter approved disposition Commenter objected to disposition
Commenter's response (URI):

Comment:

Hello,

this is a post last call comment concerning the mobile OK basic
tests 1.0, on behalf of the Web Security Context Working Group.

We notice that section 2.4.3 - HTTP Response - uses the notion of an
"HTTPS response". There is no such thing.

We also notice that the notion of an "invalid certificate" does not
match what we understand to be the Best Practice Working Group's
intention with this test.

We propose that you update this criterion, at a minimum, as follows:

If the resource is accessed through HTTPS:
If the certificate presented does not match the
resource's URI, FAIL.

If the certificate has expired or is not yet valid, warn.

If certificate validation otherwise fails, FAIL.

Checker SHOULD consider arbitrary root certificates (including
self-signed certificates) as trusted for the purposes of
mobileOK testing.

Note that there are additional error conditions that can occur
during TLS negotiation, including a mismatch on supported algorithms
and protocol versions.

Regards,

Related issues: (space separated ids)

WG Notes:

Resolution: We added a section on HTTPS that refines the algorithm of determining an invalid https certificate.

(Please make sure the resolution is adapted for public consumption)