Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

Mon, 27 Jun 2022 12:17:59 -0700 

On 6/24/22 5:07 PM, Peter Saint-Andre wrote:
* Which identifier types a client includes in its list of reference identifiers, and their priority, is a matter of local policy - given the situation today, can we have a normative recommendation for clients to be strict in constructing their reference list? If we don't include such normative text, we're basically telling people to make the easier choice and build lenient clients. 


It seems to me that the local policy will depend a great deal on the 
protocol(s) that an application supports, the state of SRV-ID and URI-ID 
support in that protocol and its implementations/deployments, etc. 
However, I do think that we can formulate some more strict rules that 
ought to be followed by implementations. Text to follow.


Here is a proposed change.

OLD

   Which identifier types a client includes in its list of reference
   identifiers, and their priority, is a matter of local policy.  For
   example, a client that is built to connect only to a particular kind
   of service might be configured to accept as valid only certificates
   that include an SRV-ID for that application service type.  By
   contrast, a more lenient client, even if built to connect only to a
   particular kind of service, might include both SRV-IDs and DNS-IDs in
   its list of reference identifiers.

NEW

   Which identifier types a client includes in its list of reference
   identifiers, and their priority, is a matter of local policy.  The
   substance of such a policy might depend on the application
   protocol that a client supports, the state of SRV-ID and URI-ID
   support in that protocol, and similar factors.  In general, a client
   SHOULD follow a policy that is consistent with the highest level of
   security and strictest rules for service identification available in
   an application protocol.  For instance, if the protocol defines an
   SRV-ID or URI-ID for the application service type and that SRV-ID or
   URI-ID is commonly included in certificates issued to such services,
   then the client ought to be configured to accept as valid only
   certificates that include the SRV-ID or URI-ID (not merely a DNS-ID).
   Such a policy can help to avoid cross-protocol attacks.

Peter

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

























					Reply via email to