Hi all,

It's come to my attention that most servlet container vendors totally
ignore the requirements laid out Servlet API 2.3 SRV 4.7.  These
requirements are to expose various attributes of an SSL connection via
the javax.servlet.request.cipher_suite, javax.servlet.request.key_size,
and javax.servlet.request.X509Certificate request attributes.

My theory is that server vendors don't support this requirement because
Watchdog (and presumably the official TCK) don't actually check it, thus
giving server vendors a false sense of compatibility.  Whether my
theory's true or not, I'm confident that if Watchdog (and thus the
official TCK) started checking this requirement then soon enough all
servlet container vendors would support it.  I think that's pretty
important because banks and such need access to these attributes to
ensure a secure connection.

To that end, I'd like to get a sense of the thoughts here for if
Watchdog can add these sorts of tests.  I don't actually see any
SSL-based tests happening right now, but perhaps I'm not looking in the
right place.  Was that intentional, because of the difficulty setting up
an SSL server?  Is there another reason not to test for the SSL-related
requirements?  How much work would it be to add SSL-related testing? 
I'm happy to help to the extent I have time, but would appreciate
hearing the conventional wisdom surrounding these issues.


To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to