>> 5. On page 20, the following text exists: For an interactive client, >> it is strongly encouraged that each reference identifier SHOULD be >> based on the source domain provided by the user and SHOULD NOT be >> based on a derived domain (e.g., a host name or domain name >> discovered through DNS resolution of the source domain). >> >> I am not clear why this is important for interactive clients and not >> for automated clients. > > Good point. Changed in my working copy to: > > It is strongly encouraged that each reference identifier > in the list SHOULD... > >> 6. In section 4.6.2 - I am disappointed that the concept of checking >> that the context is either the same or similar is not also included >> in this check. I think this is an important concept. > > Agreed. I propose adding the clause "including the context as described > under Section 5.1", as follows: > > If the client does not find a presented identifier matching any of > the reference identifiers but the client has previously pinned the > application service's certificate to one of the reference identifiers > in the list it constructed for this connection attempt (as "pinning" > is explained under Section 1.5), and the presented certificate > matches the pinned certificate (including the context as described > under Section 5.1), then the service identity check succeeds.
Agreed, good catches Jim, thanks for your review. I concur with PeterSA's fixes. =JeffH _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
