On 7/19/10 10:12 AM, Martin Rex wrote: > One thing that I find particularly irritating in -08 is that > it completely ignores a much more secure authentication > scheme for servers, by clients knowing the entire subject DName > of a certificate rather than matching only a single > name component.
Good point. To make these (and other) matters clearer, I have written a new section on the applicability of this document: *** 1.2. Applicability This document does not supersede the rules for certificate validation provided in [PKIX]; specifically, in order to ensure proper authenticationm application clients need to verify the entire certification path (this document addresses only the DNS domain name of the application service itself, not the entire trust chain). This document also does not supersede the rules for verifying server identity provided in existing application protocol specifications, such as those mentioned under Appendix A. However, it is the intent of the authors that the best current practices described here can be referenced by future specifications. It is also expected that this document will be updated or obsoleted in the future as best practices for issuance and verification of PKIX certificates continue to evolve through more widespread implementation and deployment of TLS- protected application services over the Internet. *** /psa _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
