[NNTP] One more STARTTLS issue
Ken Murchison
ken at oceana.com
Mon Aug 15 10:26:17 PDT 2005
Russ Allbery wrote:
> Ken Murchison <ken at oceana.com> writes:
>
>>Russ Allbery wrote:
>
>
>>>Sorry, I missed this.
>
>
>>>I don't think we did anything about this portion of Sam's review of
>>>STARTTLS:
>
>
>>>| The TLS document discusses certificate matching but does not discuss
>>>| certificate verification. I'd recommend using the certificate
>>>| verification specified in RFC 3280. You certainly need to say
>>>| something about verification.
>
>
>>>I think this may be as simple as inserting a sentence or so with a
>>>normative reference to RFC 3280.
>
>
>>Suggested wording? Is this a SHOULD or a MUST?
>
>
> How does this sound:
>
> To prevent man-in-the-middle attacks, clients MUST verify the binding
> between the identity of the server to which the client was connecting
> and the public key presented by the server. Clients SHOULD implement
> the algorithm in section 6 of [RFC3280] for general certificate
> validation, but MAY supplement that algorithm with other validation
> methods that achieve equivalent levels of verification (such as
> comparing the server certificate against a local store of
> already-verified certificates and identity bindings).
Sounds good to me. Do you want to run it by Sam? Should I spin another
draft after we add this (or equivalent) wording?
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 2495 Main St. - Suite 401
716-604-0088 x26 Buffalo, NY 14214
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list