- From: Alexey Melnikov <alexey.melnikov@isode.com>
- Date: Sat, 01 Feb 2014 19:23:32 +0000
- To: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
Hi Martin, On 31/01/2014 18:23, Martin Thomson wrote: > I think that this is mostly right: > > Partial proposal: insert after 9.1 Connection Management second paragraph: > > Clients MAY use a single connection for more than one origin when each > origin's hostname resolves to the same IP address, and they share the > same port. When an origin's scheme is "https", the server's > certificate MUST be valid for the origin's hostname to be used in this > fashion; this might be accomplished using a "wildcard certificate", > subjectAltName [RFC3280], or some other mechanism. > <<< > > However, 3280 is out of date. I wonder if 6125 is not a better > reference to use here. As in: > > When an origin's scheme is "https", the server MUST be authenticated, > either by validating the server certificate against the hostname in > the origin [RFC6125], or by some other mechanism. If you want to do that, you need to define: 1) whether wildcards are allowed or not 2) whether CN-ID (CN=<hostname> in the subject DN) is allowed or not 3) whether DNS-ID is allowed or not. So basically you can't just say "use RFC 6125", you need a bit more information.
Received on Saturday, 1 February 2014 19:23:55 UTC