W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Stephen Farrell's No Objection on draft-ietf-httpbis-alt-svc-12: (with COMMENT)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 7 Mar 2016 13:19:16 +1100
Cc: The IESG <iesg@ietf.org>, Mike Bishop <michael.bishop@microsoft.com>, HTTP WG <ietf-http-wg@w3.org>
Message-Id: <1D1A2FE2-BD88-4DC9-B3D1-9AA1061AFC6C@mnot.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>

> On 5 Mar 2016, at 12:51 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>> - 9.2: What does "might also choose" mean and which "other 
>>> requirements" have you in mind? That's very vague.
>> Browsers can -- and do -- add other checks to certificates, and this
>> gives them wiggle-room to do so. This might be CT as it's not
>> required now, it might be a browser-specific blacklist based upon its
>> own data, it might be additional limits on validity periods, it might
>> be Perspectives or a similar approach, etc.
> I have to say I'm still not clear on what could usefully be done
> there - are you envisaging e.g. paying attention to whether the
> new host name is in a SAN in the cert or matches a wildcard cert
> or something?
> I also don't see how CT would interact with Alt-Svc at all, but
> maybe there's something.

It's just saying that clients can and use additional means to validate certificates; i.e., they're not obligated to accept a cert if it passes the 2818 checks.

Mark Nottingham   https://www.mnot.net/
Received on Monday, 7 March 2016 02:19:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC