This is most of what's needed. Plus something along the lines of:
In some cases the user should be able to accept the certificate in
question as valid also for subsequent connections. Such ad-hoc
"pinning" should typically not restrict future connections to just
the pinned certificate.
Local policy that statically enforces a given certificate for a
given peer is best made available only as prior configuration,
rather than a just-in-time override for a failed connection.
Feel free to word smith if largely acceptable, or clarify objections if
not...
Largely acceptable to me :) I'll tweak a bit and add it to the pull request
soon.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
