Re: [Uta] Pinning

2021-09-09 Thread Peter Saint-Andre
On 9/9/21 9:16 AM, Alexey Melnikov wrote: > On 09/09/2021 16:12, Viktor Dukhovni wrote: > >> On Thu, Sep 09, 2021 at 01:55:44PM +, Salz, Rich wrote: >> >>> I updated >>> https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/19 to have >>> something based on Viktor's suggestion. The main w

Re: [Uta] Pinning

2021-09-09 Thread Alexey Melnikov
On 09/09/2021 16:12, Viktor Dukhovni wrote: On Thu, Sep 09, 2021 at 01:55:44PM +, Salz, Rich wrote: I updated https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/19 to have something based on Viktor's suggestion. The main wording changes were about using MUST MAY SHOULD language in

Re: [Uta] Pinning

2021-09-09 Thread Viktor Dukhovni
On Thu, Sep 09, 2021 at 01:55:44PM +, Salz, Rich wrote: > I updated > https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/19 to have > something based on Viktor's suggestion. The main wording changes were > about using MUST MAY SHOULD language in that whole section. Works for me, I'd b

Re: [Uta] Pinning

2021-09-09 Thread Salz, Rich
>This is most of what's needed. Plus something along the lines of: I updated https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/19 to have something based on Viktor's suggestion. The main wording changes were about using MUST MAY SHOULD language in that whole section. _

Re: [Uta] Pinning

2021-09-08 Thread Salz, Rich
This is most of what's needed. Plus something along the lines of: In some cases the user should be able to accept the certificate in question as valid also for subsequent connections. Such ad-hoc "pinning" should typically not restrict future connections to just

Re: [Uta] Pinning

2021-09-08 Thread Viktor Dukhovni
On Wed, Sep 08, 2021 at 04:45:24PM +, Salz, Rich wrote: > >Perhaps the text can be made more concise, but I don't think full > removal is warranted. This is *not* the fragile key pinning from HPKP. > > Right now the text has this. Is more needed? > > ### Failure: No Match Found > >

Re: [Uta] Pinning

2021-09-08 Thread Salz, Rich
>Perhaps the text can be made more concise, but I don't think full removal is warranted. This is *not* the fragile key pinning from HPKP. Right now the text has this. Is more needed? ### Failure: No Match Found If the client does not find a presented identifier matching any of the refe

Re: [Uta] Pinning

2021-09-08 Thread Viktor Dukhovni
On Wed, Sep 08, 2021 at 03:52:23PM +, Salz, Rich wrote: > I would like to remove the discussion of pinning from 5126bis for the > following reason: [ You surely meant 6125, but let your fingers do the talking... ] > > * It’s an escape hatch, saying “do all these things but if you don’t