I was struggling with this while I reviewed the doc. For instance, should we consider HPKP processing by the client? Is there a general rule we can use to identify what¹s in & out of scope?
Thanks, Wayne On 11/27/13, 6:20 AM, "Tim Moses" <tim.mo...@entrust.com> wrote: >Tom. These are good points. They relate more to the TLS stack than the >PKI. But, they are relevant for all that. > >Can you provide specific questions? > >All the best. Tim. > >> On Nov 27, 2013, at 6:09 AM, "t.petch" <ie...@btconnect.com> wrote: >> >> Complicated:-( Perhaps there is a danger of losing the wood for the >> trees. >> >> Thus, I think of TLS in terms of cipher suites and think that software >> vendors would too; the mix and match approach of algorithms in 2) (where >> is RC4 or AEAD or AES-GCM?) seems likely to produce the wrong answers. >> >> I also think of TLS in terms of versions, of which there are two values >> that appear separately in setting up a TLS connection, and many software >> vendors would appear not to understand what the specification says in >> that regard and so are in breach of it. Fallback attacks derived >> therefrom are a significant part of using TLS. >> >> And then there is Key Usage; some check, other do not. >> >> And the hot topic of three years ago was Renego and support for it; >> still significant today. Links into fallback attacks. >> >> While a running sore is where does the software get its identifier from; >> this document keeps talking of DN (I wonder how common that is). >> RFC6125 should probably be in there somewhere. >> >> And the treatment of user certs (I know what Microsoft does and it is >> very sensible but suspect that it is unique). >> >> etc etc >> >> Tom Petch >> >> ----- Original Message ----- >> From: "Rick Andrews" <rick_andr...@symantec.com> >> To: <wpkops@ietf.org> >> Sent: Wednesday, November 27, 2013 12:27 AM >> >> Folks, >> >> Here's a very early draft, started by Tim with updates from David and >> me. I've turned on Track Changes; please feel free to add edits and >> comments. >> >> I'm sure there's many more questions we can ask. Please pile 'em on. >> >> -Rick >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> -------- >> >> >>> _______________________________________________ >>> wpkops mailing list >>> wpkops@ietf.org >>> https://www.ietf.org/mailman/listinfo/wpkops >> >> >> _______________________________________________ >> wpkops mailing list >> wpkops@ietf.org >> https://www.ietf.org/mailman/listinfo/wpkops >_______________________________________________ >wpkops mailing list >wpkops@ietf.org >https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops