Dear all, We would like to get some feedback on RFC2818 and RFC 6125 when specifying TLS for ALTO.
Specifically, RFC6125 is a more recent RFC that considers not only CN and DNS domain name, but also SRV and URI. As our ALTO Base protocol does not need to use SRV and URI and we believe that most https libraries are based on RFC2818 for host verification (for example, libcurl using CURLOPT_SSL_VERIFYHOST), we may solely consider RFC2818. On the other hand, RFC6125 does make some related recommendations: - Move away from including and checking strings that look like domain names in the subject's Common Name. - Move away from the issuance of so-called wildcard certificates (e.g., a certificate containing an identifier for "*.example.com"). The question for us is whether we add wording related with the recommendation of RFC 6125. One possibility to move forward with the Postel's, with wording such as: "ALTO protects the authenticity and integrity of ALTO Information (both Information Directory and individual Information Resources) by leveraging the authenticity and integrity mechanisms in TLS. In particular, the ALTO Protocol requires that HTTP over TLS [RFC2818] MUST be supported, when protecting the authenticity and integrity of ALTO Information is required. The rules in [RFC2818] for a client to verify server identity using server certificates MUST be supported. ALTO Providers who request server certificate and certification authorities who issue ALTO-specific certificates SHOULD consider the recommendations and guidelines defined in [RFC6125]." Thanks! Richard
_______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
