Re: ISSUE-106 (cert/URL matching): We need to define details of cert/URL matching [Techniques]

Thomas Roessler wrote:
> On 2007-08-29 15:52:11 +0000, Web Security Context Working Group
> Issue Tracker wrote:
> 
>> ISSUE-106 (cert/URL matching): We need to define details of
>> cert/URL matching [Techniques]
> 
>> http://www.w3.org/2006/WSC/track/issues/
> 
>> Raised by: Stephen Farrell
>> On product: Techniques
> 
>> If we are react to certs that don't match a URL then we need a
>> well defined matching rule
> 
> So, we say that "if cert doesn't match, blah blah, then..." -- for
> that, the rules in RFC 2818 (https) combined with RFC 3280 (pkix)
> would seem to be sufficient.
> 
> Are you suggesting that we just reference these two documents, or do
> you have something deeper in mind?

We should definitely reference them. But we should also rethink
if necessary, e.g. 2818 mandates preferring dNSName subjectAltName
if present - I'm wondering if anyone in fact uses that and if not
if we should recommend something else; 2818 also doesn't mention
domainComponent ("dc=") which is all over the place in 3280bis
(I guess as one of the co-authors of that I should be the one to
re-read it for this;-) but I'm not sure how much dc= is really
in use.

So, we need to reference and maybe re-validate 2818, 3280 and
3280bis (which is now finished all LCs in the IETF), before we
close this issue.

S.

> 
> Thanks,

Received on Monday, 3 September 2007 11:35:29 UTC