Re: Stephen Farrell's No Objection on draft-ietf-httpbis-alt-svc-12: (with COMMENT) from Martin Thomson on 2016-03-07 (ietf-http-wg@w3.org from January to March 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 7 Mar 2016 14:27:10 +1100
To: Mark Nottingham <mnot@mnot.net>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>, Mike Bishop <michael.bishop@microsoft.com>, HTTP WG <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWV+fZnJNZ0y2ub8HqWieQ_RxrFWTCDbm2Xvp=_jazJ8w@mail.gmail.com>

On 7 March 2016 at 13:19, Mark Nottingham <mnot@mnot.net> wrote:
> It's just saying that clients can and use additional means to validate certificates; i.e., they're not obligated to accept a cert if it passes the 2818 checks.

In practice, browsers do pinning checks, blacklist checks, revocation
checks [1], CT signature checks, user override checks, and probably
things that I'm not aware of.  The intent was to avoid limiting
validation behaviour.  My initial reaction was that this wasn't
interoperable.  I still think we could do better, but don't want to
burden this effort unreasonably, defining what it means to validate a
certificate turns out to be hard.

[1] Hah, had you going there, we don't. Well... unless there is a
must-pin policy.

Received on Monday, 7 March 2016 03:27:42 UTC