Hi Alexey, Thanks for helping me work through these... one more round on open issues, inline below:
On Jan 18, 2012, at 6:43 PM, Alexey Melnikov wrote: > Hi Brian, > > On 18/01/2012 16:16, Brian Trammell wrote: >> On Jan 18, 2012, at 3:38 PM, Alexey Melnikov wrote: >>> On 17/01/2012 10:16, Brian Trammell wrote: >>>> On Jan 14, 2012, at 9:45 PM, Alexey Melnikov wrote: >>>> >>>>> >>>>> RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual >>>>> authentication for transport confidentiality, identification, and >>>>> >>>>> Do you mean that a RID client must use X.509 certificates? >>>> Well, each RID system (HTTP client or server) is identified by an X.509 >>>> certificate (hence "mutual"); how can I make this clearer? >>>> >>>>> authentication, as in [RFC2818]. >>>>> >>>>> I find the whole sentence to be confusing. Note that the rules of RFC >>>>> 6125 for certificate verification are stricter than in RFC 2818 and this >>>>> sentence can be read as conflicting with the paragraph below which >>>>> requires use of RFC 6125. What are you trying to say here? >>>> The intention here is "Use current best practices as would be supported by >>>> off-the-shelf HTTP/1.1 and TLS 1.1 implementations to provide mutual >>>> authentication." "Current best practices", however, seems to be something >>>> of a moving target. >>>> >>>> I cite 2818 as it is the current binding between HTTP/1.1 and TLS. I cite >>>> 6125 solely for certificate verification. >>> How about something like this: >>> >>> OLD: >>> RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual >>> authentication for transport confidentiality, identification, and >>> authentication, as in [RFC2818]. >>> >>> NEW: >>> RID systems MUST use HTTP over TLS as specified in [RFC2818], with the >>> exception >>> of server TLS identity verification which is detailed below. >> Ah. Okay, now I understand the issue... > This is only one of them... >>> RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual >>> X.509 authentication. TLS provides for transport confidentiality, >>> identification, and authentication. >> The language has changed in -07 to the following; would this be acceptable? >> >> RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual >> authentication for confidentiality, identification, and >> authentication, as in [RFC2818], > Part of the issue with this text is that reads as if "mutual authentication" > results in "confidentiality, identification and authentication". TLS does, > that is why I split the sentence into multiple. Also RFC 2818 is a wrong > reference because it doesn't even mention confidentiality. > I am hoping this is not nitpicking, but I think using simpler sentences > clearer. Absolutely. >> when transporting RID messages over >> HTTPS. > The rest looks good to me: >> RID systems MUST use mutual authentication; that is, both RID >> systems acting as HTTPS clients and RID systems acting as HTTPS >> servers MUST be identified by an X.509 certificate [RFC5280]. Mutual >> authentication requires full path validation on each certificate, as >> defined in [RFC5280]. So, how about the following: RID systems MUST use TLS version 1.1 [RFC4346] or higher for confidentiality, identification, and authentication, as in Section 2 of [RFC2818]. RID systems MUST use mutual authentication; that is, both RID systems acting as HTTPS clients and RID systems acting as HTTPS servers MUST be identified by an X.509 certificate [RFC5280]. Mutual authentication requires full path validation on each certificate, as defined in [RFC5280]. Many thanks, best regards, Brian _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
