[NNTP] One more STARTTLS issue
Russ Allbery
rra at stanford.edu
Mon Aug 15 10:30:47 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> Russ Allbery wrote:
>> How does this sound:
>> To prevent man-in-the-middle attacks, clients MUST verify the binding
>> between the identity of the server to which the client was connecting
>> and the public key presented by the server. Clients SHOULD implement
>> the algorithm in section 6 of [RFC3280] for general certificate
>> validation, but MAY supplement that algorithm with other validation
>> methods that achieve equivalent levels of verification (such as
>> comparing the server certificate against a local store of
>> already-verified certificates and identity bindings).
> Sounds good to me. Do you want to run it by Sam?
I'll do that now.
> Should I spin another draft after we add this (or equivalent) wording?
Yes.
I'll let you know what Sam says.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list