On Mon, 2010-10-11 at 15:16 -0600, Peter Saint-Andre wrote: > On 10/11/10 2:31 PM, Martin Rex wrote: > > I strongly disagree. the -09 wording: > > > > The client MUST fail to match a presented identifier > > in which the wildcard character is contained within a label fragment > > (e.g., baz*.example.net is not allowed and MUST NOT be taken to match > > baz1.example.net and baz2.example.net) > > > > attempts to invalidate rfc-2818 through the use of "MUST NOT". > > The next version (-10) will make it abundantly clear that this I-D does > not (and does not intend to) override, supersede, update, or obsolete > the rules for verifying server identity provided in specifications for > existing application protocols. On this point, Jeff and I have added an > applicability statement to our working copy, which we hope to release in > the next day or two once we've checked it against all the issues that > were raised during IETF Last Call.
This seems possibly disingenuous to me. The tls-server-id-check document may not itself update RFC 2818, but do you really intend that RFC 2818 never be updated in the future to use the tls-server-id-check rules? In view of the likelihood of such an update, it seems unhelpful to claim now that compatibility with RFC 2818 isn't our problem. -- Matt _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
