Hello Scott, On 3/31/22 19:58, Hollenbeck, Scott wrote:
[SAH] Client certificates ARE required for TCP transport with TLS. See here: https://datatracker.ietf.org/doc/html/rfc5734#section-9 They're not specifically a requirement for EPP, but they are for that particular transport protocol (which just happens to be the only standard transport protocol).
Interesting, it seems that we overlooked that in our own (TANGO) implementation. There, we're currently allowing clients to connect without presenting a client certificate, but they *may* send one (which isn't checked beyond the CA's trustworthiness).
The thing is that many registries' client certificate checks end with doing just that, i.e. clients may present ANY certificate, as long as it's not expired and issued by a CA trusted by the registry's server. In particular, the common name is usually *not* checked, as no properties of the client certificates are "negotiated out of band", as RFC 5734 suggests. To us, this common practice seemed silly, as anybody can easily get a trusted certificate like that, but all that does is adding costs and effort for the client, while not adding any security. This is why we made the client certificate optional, but as it's obviously an RFC violation, we'll need to change that.
Best regards, Thomas -- TANGO REGISTRY SERVICES® is a product of: Knipp Medien und Kommunikation GmbH Technologiepark Phone: +49 231 9703-222 Martin-Schmeisser-Weg 9 Fax: +49 231 9703-200 D-44227 Dortmund E-Mail: supp...@tango-rs.com Germany _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
