- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 03 Sep 2007 12:35:14 +0100
- To: stephen.farrell@cs.tcd.ie, public-wsc-wg@w3.org
Thomas Roessler wrote: > On 2007-08-29 15:52:11 +0000, Web Security Context Working Group > Issue Tracker wrote: > >> ISSUE-106 (cert/URL matching): We need to define details of >> cert/URL matching [Techniques] > >> http://www.w3.org/2006/WSC/track/issues/ > >> Raised by: Stephen Farrell >> On product: Techniques > >> If we are react to certs that don't match a URL then we need a >> well defined matching rule > > So, we say that "if cert doesn't match, blah blah, then..." -- for > that, the rules in RFC 2818 (https) combined with RFC 3280 (pkix) > would seem to be sufficient. > > Are you suggesting that we just reference these two documents, or do > you have something deeper in mind? We should definitely reference them. But we should also rethink if necessary, e.g. 2818 mandates preferring dNSName subjectAltName if present - I'm wondering if anyone in fact uses that and if not if we should recommend something else; 2818 also doesn't mention domainComponent ("dc=") which is all over the place in 3280bis (I guess as one of the co-authors of that I should be the one to re-read it for this;-) but I'm not sure how much dc= is really in use. So, we need to reference and maybe re-validate 2818, 3280 and 3280bis (which is now finished all LCs in the IETF), before we close this issue. S. > > Thanks,
Received on Monday, 3 September 2007 11:35:29 UTC