Hi Daniel,
On 18/04/2017 17:15, Daniel Margolis wrote:
On Thu, Apr 6, 2017 at 11:08 AM, <[email protected]
<mailto:[email protected]>> wrote:
_ Section 3.3 HTTPS Policy Fetching
"When fetching a new policy or updating a policy, the HTTPS endpoint
MUST present a X.509 certificate which is valid for the "mta-sts"
host (as described in [RFC6125]), chain to a root CA that is trusted
by the sending MTA, and be non-expired."
Maybe it's redundant, but since it explicitly mention non-expired,
should it also mention not revocated?
Do relevant RFCs for HTTPS specify CRL/OCSP checking? If not--and in
practice it varies by implementation, such that some major browsers do
not implement one or the other--I would not want to mandate it here,
even if it's a good idea.
(And I agree it's a good idea in the abstract, but to my very limited
knowledge, the state of deployment is haphazard, so it seems a bit
risky to require it.)
RFC 5280 mention it. I think you need to make it clear that checking
OCSP is not prohibited here. (Maybe say "MAY use OCSP to check for
revocation" or similar.)
Best Regards,
Alexey
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
