- From: ☮ elf Pavlik ☮ <perpetual-tripper@wwelves.org>
- Date: Sun, 09 Nov 2014 01:01:20 +0100
- To: mmn@hethane.se
- CC: public-socialweb@w3.org
- Message-ID: <545EAED0.4070501@wwelves.org>
On 11/08/2014 09:22 PM, Mikael Nordfeldth wrote: > On 2014-11-08 19:34, Owen Shepherd wrote: >> WebFinger does not mandate CA verification. It mandates certificate >> verification. This does not necessarily require CAs as the trust roots. > > My bad. Nevertheless, it effectively excludes (today) anything that is > not the CA system since just about every implementation will validate > against the Mozilla CA list or similar. So Monkeysphere, self-signed > etc. cannot compete at the same level as friends of too-big-to-fail > companies like Verisign or Comodo. > >> I think it is important for us to require HTTPS and validation. We need not >> specify the mechanism of validation. > > If we don't define a validation procedure but _do_ require validation it > will cause confusion and incompatibility. I'd gladly see the protocol > specification _allow_ for certificate validation but not forcefully > require it. > > Nodes in the network which want to explicitly validate TLS certs > according to their preferred threat models or company policies can do > so. If they want, they can integrate some feedback to their users about > which other nodes are operating with non-validated services or simply > not interoperate. IMO publishing *separate* NOTE on this topic and just delegating to it whenever needed would come helpful. Mikael, would you like to draft something which we could start iterating from together? :)
Received on Sunday, 9 November 2014 00:03:42 UTC