- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 7 Mar 2016 13:19:16 +1100
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: The IESG <iesg@ietf.org>, Mike Bishop <michael.bishop@microsoft.com>, HTTP WG <ietf-http-wg@w3.org>
> On 5 Mar 2016, at 12:51 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > >>> - 9.2: What does "might also choose" mean and which "other >>> requirements" have you in mind? That's very vague. >> >> Browsers can -- and do -- add other checks to certificates, and this >> gives them wiggle-room to do so. This might be CT as it's not >> required now, it might be a browser-specific blacklist based upon its >> own data, it might be additional limits on validity periods, it might >> be Perspectives or a similar approach, etc. >> > > I have to say I'm still not clear on what could usefully be done > there - are you envisaging e.g. paying attention to whether the > new host name is in a SAN in the cert or matches a wildcard cert > or something? > > I also don't see how CT would interact with Alt-Svc at all, but > maybe there's something. It's just saying that clients can and use additional means to validate certificates; i.e., they're not obligated to accept a cert if it passes the 2818 checks. -- Mark Nottingham https://www.mnot.net/
Received on Monday, 7 March 2016 02:19:50 UTC