On 02/08/2011 07:56 AM, Gervase Markham wrote: > On 05/02/11 21:13, Nelson B Bolyard wrote: >> 2) After 14 years of working on SSL/TLS for browsers, I can tell you >> that >> browsers will all ignore the paragraph that says "Clients SHOULD NOT >> allow >> users to force a connection ...". I suppose that surprises no-one. > > It's all about precedent. If all browsers begin by not allowing it, > no-one will expect it to be allowed. > > Disallowing something that was previously allowed is much harder than > disallowing something which has always been disallowed. So, we are already there. What they are talking about is disallowing cert is the DNSSEC record is there and the key doesn't match the cert. Those certs were allowed, and now they are not, so I think that you are already in the harder case.
bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
