some more details.
In 1.1:
There is the possibility to indicate several identities:
"Only a match between the client's reference identity and the server's
presented identity enables the client to be sure that the certificate
can legitimately be used to secure the connection."
==>
"In general, a match between the client's reference identity and one of the
server's
presented identities is required to enable the client to be sure that the
certificate
can legitimately be used to authenticate the connection."
(see: "The application server is identified by a name or names carried in
the subject field and/or the subjectAltName extension of the
certificate.")
"The Internet Public Key Infrastructure" sounds ambiguous quite right to me.
- The only thing of a PKI in question that is ever transmitted
and visible in the Internet might be the server's certificate.
- There is no "Internet PKI" (like the DNS).
"in the context of the Internet Public Key Infrastructure using X.509"
==>
"in the context of a Public Key Infrastructure using X.509".
Likewise, during TLS negotiation the server presents
its conception of the server's identity
Application protocols have traditionally specified their own rules
for representing and verifying server identities.
I suggest to replace "represent" by "present". (The word represent seems
to be used interchangeable with present in the current text). I'd prefer
even 'indicate' instead.
/PS
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
