Re: Eric Rescorla's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT) from Eric Rescorla on 2018-01-11 (ietf-http-wg@w3.org from January to March 2018)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 11 Jan 2018 15:19:10 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-origin-frame@ietf.org, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBP3xFKh2sgww0NxU0Sp+ewsNxj1TViWx0yKWqsHtR2LOw@mail.gmail.com>

"present" seems too weak. You need to prove possession of the private key,
not just show it. How about "authenticate with"?

On Thu, Jan 11, 2018 at 3:16 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
>
> > On 12 Jan 2018, at 9:38 am, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > I am looking for text which is technically accurate. the current text is
> not, for any sense of "obtain". What is required here is that the server
> authenticate to the client with a private key that corresponds to a
> certificate which passes the suitable tests. That's entirely different from
> "obtain".
>
> How about:
>
> Original: """
> Note that for a connection to be considered authoritative for a given
> origin, the client is still required to obtain a certificate that passes
> suitable checks..."""
>
> Update: """
> Note that for a connection to be considered authoritative for a given
> origin, the server is still required to present a certificate that passes
> suitable checks..."""
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

Received on Thursday, 11 January 2018 23:20:17 UTC