On Mon, Aug 19, 2019 at 09:05:21PM +0100, Stephen Farrell wrote: > > Hiya, > > I didn't read the drafts, but Nick's comments make sense to > me so I'd give those a +1 (modulo not having read the draft > of course:-) > > One other thought... > > On 19/08/2019 17:07, Kai Engert wrote: > > If the client > > supports it, and if the connection is encrypted, then the client > > sends its client side identifier. > > Sometimes I've been prompted to accept a hotspot's bogus > certificate for IMAP if my MUA is the first to trip over > a hotspot. A user might hit yes in such a case which is > a bad idea yes, but I guess happens. I guess an active > attack could appear similarly. > > So is there a reason to tie the CLIENTID to the server > credentials I wonder? E.g. to rotate it whenever the > server cert changes. That might also discourage servers > from assuming that the CLIENTID never changes.
I was going to say something similar. So, a "yes" from me :) -Ben _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
