RE: Section 5.3: Mike McCormick's General Principals (Error Signaling) from michael.mccormick@wellsfargo.com on 2007-09-25 (public-wsc-wg@w3.org from September 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 25 Sep 2007 14:34:24 -0500
To: <Anil.Saldhana@redhat.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164D38A58E@msgswbmnmsp17.wellsfargo.com>

Thank you Anil.  I feel the updated sections 5.3 and 5.3.1 faithfully
capture the spirit & intent of the "McCormick Principles".  Why is 5.3.1
non-normative?

Normative section 5.3.2 OTOH is a specific agent requirement
(redirection based on server certificate subject) that goes beyond
anything I had proposed.  If I interpret 5.3.2 correctly, it says when
Alice types the URL "https://www.Bob.com" in her browser, but the
browser encounters a server SSL certificate with a subject DN of
"www.Carol.com", then Alice's browser would be silently redirected to
URL "https://www.Carol.com".  This seems to create a new attack vector
for Carol to divert https traffic from Bob's site to her own, without
Alice being informed unless she happens to notice the change on her
location bar.  Hopefully I misunderstood.

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Anil Saldhana
Sent: Monday, September 24, 2007 10:55 PM
To: public-wsc-wg@w3.org
Subject: Re: Section 5.3: Mike McCormick's General Principals (Error
Signaling)

Mike,
  I have incorporated your general principles into the current draft.  
Can you take a look and tell me if I am missing something that you deem
important?
http://www.w3.org/2006/WSC/drafts/rec/rewrite.xml

Regards,
Anil

michael.mccormick@wellsfargo.com wrote:
> That's it!  Thanks, Mike
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org 
> [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of Anil Saldhana
> Sent: Friday, September 21, 2007 9:35 AM
> To: public-wsc-wg@w3.org
> Subject: Section 5.3: Mike McCormick's General Principals (Error
> Signaling)
>
>
> Mike,
>    I have an action item on incorporating your general principals on 
> error signaling.
>
> The action item is: ACTION-292
>
> I want to confirm that your work on this is here:
> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/CertErr
>
> (artifact of ACTION-210)
>
> Apart from this, anywhere else I need to look for?
>
> Regards,
> Anil
>
>
>   

--
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/

Received on Tuesday, 25 September 2007 19:35:02 UTC