Thomas Roessler wrote: > On 2007-08-29 15:52:11 +0000, Web Security Context Working Group > Issue Tracker wrote: > >> ISSUE-106 (cert/URL matching): We need to define details of >> cert/URL matching [Techniques] > >> http://www.w3.org/2006/WSC/track/issues/ > >> Raised by: Stephen Farrell >> On product: Techniques > >> If we are react to certs that don't match a URL then we need a >> well defined matching rule > > So, we say that "if cert doesn't match, blah blah, then..." -- for > that, the rules in RFC 2818 (https) combined with RFC 3280 (pkix) > would seem to be sufficient. > > Are you suggesting that we just reference these two documents, or do > you have something deeper in mind? We should definitely reference them. But we should also rethink if necessary, e.g. 2818 mandates preferring dNSName subjectAltName if present - I'm wondering if anyone in fact uses that and if not if we should recommend something else; 2818 also doesn't mention domainComponent ("dc=") which is all over the place in 3280bis (I guess as one of the co-authors of that I should be the one to re-read it for this;-) but I'm not sure how much dc= is really in use. So, we need to reference and maybe re-validate 2818, 3280 and 3280bis (which is now finished all LCs in the IETF), before we close this issue. S. > > Thanks,Received on Monday, 3 September 2007 11:35:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:51 GMT