[NNTP] Resolution on TLS wording

Russ Allbery rra at stanford.edu
Wed Sep 21 17:54:08 PDT 2005


The following wording has been approved as sufficient to deal with the
certificate verification issue:

     To prevent man-in-the-middle attacks, clients MUST verify the binding
     between the identity of the server to which the client was connecting
     and the public key presented by the server.  Clients SHOULD implement
     the algorithm in section 6 of [RFC3280] for general certificate
     validation, but MAY supplement that algorithm with other validation
     methods that achieve equivalent levels of verification (such as
     comparing the server certificate against a local store of
     already-verified certificates and identity bindings).

(This should be the same as the language previously discussed on the
list.)  As I recall, we hadn't released an I-D with that wording pending
the outcome of the IESG discussions.  If my memory is correct, Ken, could
you go ahead and submit a new draft with this addition?

This is the last IESG blocking issue for any of our drafts.

Thanks!

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list