Re: ACTION-607 Propose changes in 5.4.1 to clarify end entity vs intermediaries from Mary Ellen Zurko on 2009-06-12 (public-wsc-wg@w3.org from June 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 12 Jun 2009 18:25:17 -0400
To: "Joe Steele <steele" <steele@adobe.com>
Cc: WSC WG public <public-wsc-wg@w3.org>
Message-ID: <OF2C4FA962.6F108E7D-ON852575D3.0065F7FA-852575D3.007B2BA2@LocalDomain>

Looks good to me. 

From:   Joe Steele <steele@adobe.com>
To:     WSC WG public <public-wsc-wg@w3.org>
Date:   06/03/2009 12:21 PM
Subject:        ACTION-607 Propose changes in 5.4.1 to clarify end entity 
vs  intermediaries
Sent by:        public-wsc-wg-request@w3.org

I believe consensus was reached that for expiration and revocation, we 
need to call out intermediate certificates as being a source of TLS 
errors. Also in some places we need to specify the end-entity certificate 
for some sections.

Here are my proposed changes (in red):

When, for a TLS-protected HTTP connection, the end-entity certificate 
presented or one of the intermediate certificates in the certificate chain 
are found to have been revoked, error signaling of class danger (6.4.3 
Danger Messages) MUST be used.

When, for a TLS-protected HTTP connection, the end-entity certificate 
presented or one of the intermediate certificates in the certificate chain 
are found to have expired, error signaling of class danger (6.4.3 Danger 
Messages) MUST be used.

When the URL corresponding to the transaction at hand does not match the 
end-entity certificate presented, and a validated certificate  is used, 
then error signaling of level danger(6.4.3 Danger Messages) MUST be used.

Joe Steele

Received on Friday, 12 June 2009 22:26:30 UTC