This document:Public document·View comments·Disposition of Comments·
Nearby:Mobile Web Best Practices Working Group Other specs in this tool Mobile Web Best Practices Working Group's Issue tracker
Quick access to LC-1978 LC-1979 LC-1980 LC-1981 LC-1991 LC-1992 LC-2159
Previous: LC-1992 Next: LC-1978
Hello, this is a post last call comment concerning the mobile OK basic tests 1.0, on behalf of the Web Security Context Working Group. We notice that section 2.4.3 - HTTP Response - uses the notion of an "HTTPS response". There is no such thing. We also notice that the notion of an "invalid certificate" does not match what we understand to be the Best Practice Working Group's intention with this test. We propose that you update this criterion, at a minimum, as follows: If the resource is accessed through HTTPS: If the certificate presented does not match the resource's URI, FAIL. If the certificate has expired or is not yet valid, warn. If certificate validation otherwise fails, FAIL. Checker SHOULD consider arbitrary root certificates (including self-signed certificates) as trusted for the purposes of mobileOK testing. Note that there are additional error conditions that can occur during TLS negotiation, including a mismatch on supported algorithms and protocol versions. Regards,