> On Oct 24, 2017, at 5:10 AM, Daniel Margolis <dmargo...@google.com> wrote: > > Regarding arguments in favor of supporting SNI, Jim made the best attempt in > this thread to come up with a motivating use case, and I don't find it very > compelling. In his example (where two hosting providers merge > infrastructure), a) STS does not require that the hostnames actually match > the certificate presented (but only that the certificate match the policy!), > and b) even if the provider wants the hostname to match the certificate, they > can just use a single cert with multiple SANs to achieve this. >
Regarding a) above: I apparently missed this. Is there any other circumstance where the certificate presented is matched against anything other than the hostname? If we go forward with REQUIRETLS, this would require that it match against the STS policy if one is present, or against the hostname if one isn’t present. I haven’t yet fully thought through whether this has any security implications, but at first glance it seems like spoofing an STS policy where one isn’t present would be another way to cause REQUIRETLS to accept a certificate it shouldn’t. -Jim _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
