Re: TLS certificate verification policy?

On 11/08/2014 09:22 PM, Mikael Nordfeldth wrote:
> On 2014-11-08 19:34, Owen Shepherd wrote:
>> WebFinger does not mandate CA verification. It mandates certificate 
>> verification. This does not necessarily require CAs as the trust roots.
> My bad. Nevertheless, it effectively excludes (today) anything that is
> not the CA system since just about every implementation will validate
> against the Mozilla CA list or similar. So Monkeysphere, self-signed
> etc. cannot compete at the same level as friends of too-big-to-fail
> companies like Verisign or Comodo.
>> I think it is important for us to require HTTPS and validation. We need not 
>> specify the mechanism of validation.
> If we don't define a validation procedure but _do_ require validation it
> will cause confusion and incompatibility. I'd gladly see the protocol
> specification _allow_ for certificate validation but not forcefully
> require it.
> Nodes in the network which want to explicitly validate TLS certs
> according to their preferred threat models or company policies can do
> so. If they want, they can integrate some feedback to their users about
> which other nodes are operating with non-validated services or simply
> not interoperate.
IMO publishing *separate* NOTE on this topic and just delegating to it
whenever needed would come helpful. Mikael, would you like to draft
something which we could start iterating from together? :)

Received on Sunday, 9 November 2014 00:03:42 UTC