Re: Stephen Farrell's No Objection on draft-ietf-httpbis-alt-svc-12: (with COMMENT)

> On 5 Mar 2016, at 12:51 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
>>> - 9.2: What does "might also choose" mean and which "other 
>>> requirements" have you in mind? That's very vague.
>> 
>> Browsers can -- and do -- add other checks to certificates, and this
>> gives them wiggle-room to do so. This might be CT as it's not
>> required now, it might be a browser-specific blacklist based upon its
>> own data, it might be additional limits on validity periods, it might
>> be Perspectives or a similar approach, etc.
>> 
> 
> I have to say I'm still not clear on what could usefully be done
> there - are you envisaging e.g. paying attention to whether the
> new host name is in a SAN in the cert or matches a wildcard cert
> or something?
> 
> I also don't see how CT would interact with Alt-Svc at all, but
> maybe there's something.

It's just saying that clients can and use additional means to validate certificates; i.e., they're not obligated to accept a cert if it passes the 2818 checks.


--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 7 March 2016 02:19:50 UTC