> > Given all this, I suggest we change the last part of the last sentence of
> > the "Security Note" quoted above to something like..
> >
> > ..., by forcing the user to view the entire certification path
> > and only then allowing the user to choose whether to accept the
> > certificate on a temporary or permanent basis. See [WSC-UI] for
> > further guidance.
> >
> > ..and leave it at that in -tls-server-id-check. We should also consider
> > making [WSC-UI] a normative reference now that it is at Recommendation
> > maturity level.
>
> OK. I suggest s/to choose whether //; the point is that the user
> accepts the certificate.
I tend to think we ought to at least mention the notion that the cert can be
accepted either temporarily or permanently.
> Another issue with WSC-UI that I neglected to point out earlier: it only
> discusses pinning of certificates with untrusted issuers
hm, indeed. This would be an issue if we were to cite WSC-UI normatively, but
not if we do so only informatively, so I'm now thinking we ought to keep it as
the latter.
> if the omission of pinning for name mismatches from WSC-UI was
> intentional (i.e., the authors thought it was a bad idea). Does anyone
> know if this is case?
don't know, but it's easy to ask.
=JeffH
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
