> On Oct 24, 2014, at 10:51 AM, Ilari Liusvaara <[email protected]> > wrote: > >> On Fri, Oct 24, 2014 at 05:21:03PM +0200, Leif Johansson wrote: >> >> Folks, >> >> This email starts a 2 week WGLC for draft-ietf-uta-tls-bcp-06. Please >> provide your comments no later than Friday the 7th of November. > > > Should there be anything about ensuring that trust anchors are > properly validated? After all, path validation doesn't mean much > if there are trivial ways to bypass it.
Referencing RFC 5280 and RFC 6125 might be enough in this context. Peter > > There have been programs that do proper validation of names, > but: > > 1) Accept inapporiate self-signed certificates. > 2) Accept any certificate signed by a "CA" (don't validate TAs). > 3) Both 1 and 2 at once. > > > The set of apporiate trust anchors is obviously application-specific > and could even include EE certificates (or RFC 7250 RPKs). > > > > -Ilari > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
