Tero, thanks for the comments and the clarification on how to read a lower
case must. I do have a few more comments.
>So implementations cannot just search uppercase "MUST/SHOULD/MAY"
>texts and assume it is enough to make sure those are correct. It also
>needs to do what the text says...
>
I think most implementers focus on the MUST and SHOULDs and then apply
common sense to the remaining text.
>> CRL checking is not cheap and
>> performing CRL checking when selecting a certificate seems like an
optional
>> usability feature to me.
>
>The you probably want to make change to the current text which says
>you must do it...
Correct. I think when selecting a certificate that consulting revocation
information is a lower case should or could at best. I agree that on the
accepting side a lower case must is appropriate for revocation checking
from an interoperability perspective. By that I mean the failure to do so
will not hinder interoperability, but from a security perspective it really
should be done.
Dave Wierbowski
z/OS Comm Server Developer
Phone:
Tie line: 620-4055
External: 607-429-4055
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
