Hi Daniel, Richard,
In the latest version, we added the following text:
It is noted that the requirements regarding host name validation (and in
general, binding between the TLS layer and the protocol that runs above
it) vary between different protocols. For HTTPS, these requirements are
defined by Sec. 3 of [RFC2818].
Readers are referred to [RFC6125] for further details regarding generic
host name validation in the TLS context. In addition, the RFC contains a
long list of example protocols, some of which implement a policy very
different from HTTPS.
Can you please comment on this text? Please bear in mind that our
context is wider than just HTTPS.
Thanks,
Yaron
On 08/29/2014 12:53 AM, Daniel Stenberg wrote:
On Thu, 28 Aug 2014, Richard Moore wrote:
I've found (and reported or fixed) flaws in the hostname verification
of pretty much all the browsers and libraries and I don't think the
rules are clear. I'm happy to add the test cases I use for testing
this stuff myself to the rfc as examples if people think that would be
helpful.
As author of one of those libs Richard speaks of, I can only say that I
would be happy to see such test cases.
Had we had such tests (and preferably a single RFC detailing all on how
to verify a TLS server certificate) in the past, perhaps we could have
avoided a few nasty security vulnerabilities.
--
/ daniel.haxx.se
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
