The new text is kind-of normative, but IMO it's a significant improvement over
the old text. Thanks!
On 6/27/22, 22:16, "Peter Saint-Andre" <stpe...@stpeter.im> wrote:
On 6/24/22 5:07 PM, Peter Saint-Andre wrote:
>> * Which identifier types a client includes in its list of reference
>> identifiers, and their priority, is a matter of local policy - given
>> the situation today, can we have a normative recommendation for
>> clients to be strict in constructing their reference list? If we don't
>> include such normative text, we're basically telling people to make
>> the easier choice and build lenient clients.
>
> It seems to me that the local policy will depend a great deal on the
> protocol(s) that an application supports, the state of SRV-ID and URI-ID
> support in that protocol and its implementations/deployments, etc.
> However, I do think that we can formulate some more strict rules that
> ought to be followed by implementations. Text to follow.
Here is a proposed change.
OLD
Which identifier types a client includes in its list of reference
identifiers, and their priority, is a matter of local policy. For
example, a client that is built to connect only to a particular kind
of service might be configured to accept as valid only certificates
that include an SRV-ID for that application service type. By
contrast, a more lenient client, even if built to connect only to a
particular kind of service, might include both SRV-IDs and DNS-IDs in
its list of reference identifiers.
NEW
Which identifier types a client includes in its list of reference
identifiers, and their priority, is a matter of local policy. The
substance of such a policy might depend on the application
protocol that a client supports, the state of SRV-ID and URI-ID
support in that protocol, and similar factors. In general, a client
SHOULD follow a policy that is consistent with the highest level of
security and strictest rules for service identification available in
an application protocol. For instance, if the protocol defines an
SRV-ID or URI-ID for the application service type and that SRV-ID or
URI-ID is commonly included in certificates issued to such services,
then the client ought to be configured to accept as valid only
certificates that include the SRV-ID or URI-ID (not merely a DNS-ID).
Such a policy can help to avoid cross-protocol attacks.
Peter
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
