- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 26 Sep 2017 12:09:45 +1000
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>, Erik Nygren <erik@nygren.org>
> On 23 Sep 2017, at 7:59 am, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
>
> • Section 4 contains two nearly-identical paragraphs that probably should be merged and duplicative text trimmed.
The paras in question:
"""
As a result, clients opting not to consult DNS ought to employ some alternative means to increase confidence that the certificate is legitimate. Examples of mechanisms that can give additional confidence in a certificate include checking for a Signed Certificate Timestamp {{?RFC6929}} and performing certificate revocation checks.
Clients opting not to consult DNS ought to do so only if they have a high degree of confidence that the certificate is legitimate. For instance, clients might skip consulting DNS only if they receive proof of inclusion in a Certificate Transparency log {{?RFC6929}} or they have a recent OCSP response {{?RFC6960}} (possibly using the "status_request" TLS extension {{?RFC6066}}) showing that the certificate was not revoked.
"""
This is the result of heavy wordsmithing^H^H^H^H consensus-building, so stepping carefully, a proposal:
"""
As a result, clients opting not to consult DNS ought to employ some alternative means to establish a high degree of confidence that the certificate is legitimate. For example, clients might skip consulting DNS only if they receive proof of inclusion in a Certificate Transparency log {{?RFC6929}} or they have a recent OCSP response {{?RFC6960}} (possibly using the "status_request" TLS extension {{?RFC6066}}) showing that the certificate was not revoked.
"""
Does that work for everyone?
--
Mark Nottingham https://www.mnot.net/
Received on Tuesday, 26 September 2017 02:13:01 UTC