[NNTP] Resolution on TLS wording
Russ Allbery
rra at stanford.edu
Wed Sep 21 17:54:08 PDT 2005
The following wording has been approved as sufficient to deal with the
certificate verification issue:
To prevent man-in-the-middle attacks, clients MUST verify the binding
between the identity of the server to which the client was connecting
and the public key presented by the server. Clients SHOULD implement
the algorithm in section 6 of [RFC3280] for general certificate
validation, but MAY supplement that algorithm with other validation
methods that achieve equivalent levels of verification (such as
comparing the server certificate against a local store of
already-verified certificates and identity bindings).
(This should be the same as the language previously discussed on the
list.) As I recall, we hadn't released an I-D with that wording pending
the outcome of the IESG discussions. If my memory is correct, Ken, could
you go ahead and submit a new draft with this addition?
This is the last IESG blocking issue for any of our drafts.
Thanks!
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list