On Mon, Aug 18, 2014 at 8:22 AM, Watson Ladd <[email protected]> wrote:
> > If your told "make sure X is done", then testing you do X is implied. I think that the kind of people who post to this list think that it's implied. I don't believe that the audience would infer that they should test their code with security tools. They may not even know that security tools exist, even as a concept. I had this problem myself -- when I was writing Play WS, I literally had to draw a diagram of what was happening in hostname verification to be sure I understood it. And I got it wrong! I ended up drawing something over complicated! I couldn't find a single good developer oriented description of what I should look for in implementing hostname verification, and the JSSE reference guide refers to it as "URL spoofing" so I wasn't sure if it even meant the same thing. http://tersesystems.com/2014/03/23/fixing-hostname-verification/ I think at the very least, mentioning a test with an appropriate security tool and referencing positive and negative tests would be good. I'm still surprised that TLS doesn't come with a reference test suite that implementations have to pass, but that's another discussion. Will Sargent Consultant, Professional Services Typesafe <http://typesafe.com>, the company behind Play Framework <http://www.playframework.com>, Akka <http://akka.io> and Scala <http://www.scala-lang.org/>
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
