Toerless Eckert <t...@cs.fau.de> wrote:
> Wrt to the erratas:
> https://www.rfc-editor.org/errata_search.php?rfc=8995&rec_status=0
> I do agree that support for rfc6066 SNI would be great to have.
It's not really about it being "great" :-)
It's REQUIRED by TLS1.3, and in order for multi-tenant to work, it is a MUST.
When I say "multi-tenant", I mean any cloud provider that has, for instance,
"hardware" TLS offload.
> I do not know if/what difference to implementations it would make
> if an errata is "validated" or if it is just assessed as
> "hold for document update", e.g.: if we do need/want/have-to-f ight to
> get "validated" status from Rob (hi Rob!).
It's not a significant amount of work.
> So, IMHO the real requirement we have are:
> 1. Pledge, Registrar and MASA MUST support RFC5246 (TLS 1.2)
> 2. Pledge, Registrar and MASA SHOULD support RFC8446 (TLS 1.3).
> 3. Registrars MUST signal SNI according to RFC6066 when connecting to an
RFC5246 MASA.
The other bit is that Registrars MUST IGNORE SNI when accepting Pledge
connections. Pledges ought to not send it, since they don't really know
what to put.
(Is that a SHOULD NOT, or a MUST NOT, or what, I am not sure. The requirement
is on the receiver to ignore it)
That's a second errata.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
