- From: Mikael Nordfeldth <mmn@hethane.se>
- Date: Sat, 08 Nov 2014 21:22:39 +0100
- To: public-socialweb@w3.org
- Message-ID: <545E7B8F.1010901@hethane.se>
On 2014-11-08 19:34, Owen Shepherd wrote: > WebFinger does not mandate CA verification. It mandates certificate > verification. This does not necessarily require CAs as the trust roots. My bad. Nevertheless, it effectively excludes (today) anything that is not the CA system since just about every implementation will validate against the Mozilla CA list or similar. So Monkeysphere, self-signed etc. cannot compete at the same level as friends of too-big-to-fail companies like Verisign or Comodo. > I think it is important for us to require HTTPS and validation. We need not > specify the mechanism of validation. If we don't define a validation procedure but _do_ require validation it will cause confusion and incompatibility. I'd gladly see the protocol specification _allow_ for certificate validation but not forcefully require it. Nodes in the network which want to explicitly validate TLS certs according to their preferred threat models or company policies can do so. If they want, they can integrate some feedback to their users about which other nodes are operating with non-validated services or simply not interoperate. Just my 2 cents. -- Mikael Nordfeldth XMPP/mail: mmn@hethane.se
Received on Saturday, 8 November 2014 20:22:49 UTC