On Sun, Aug 17, 2014 at 9:22 AM, Ralph Holz <[email protected]> wrote: > EDIT: And of course, RFC 5280 describes the process of correct hostname > validation, too.
The issue isn't implementing validation: it's knowing that this is a separate step that TLS implementations (yaSSL, OpenSSL, MatrixSSL,...) don't do automatically (or in some cases at all). Maybe the text. "Application authors should take note that TLS implementations frequently do not validate hostnames, and must therefore determine if the TLS implementation they are using does, and if not write their own validation code or consider changing the TLS implementation" would work. As for ephemeral keys, I feel that text akin to "TLS users should be aware that reuse of ephemeral keys negates many of the advantages, and SHOULD NOT be used" is fine. It might be seen as adding a normative bit, but that's okay: we're taking optional behavior and saying "yes, this is good, but alternatives aren't". Sincerely, Watson Ladd > > > Hi, > >>> We seem to be woefully short on advice dealing with hostname >>> validation. This is probably the real world problem that most often >>> trips people up, in part because OpenSSL versions prior to 0.9.8 don't >>> do it, and many TLS libraries have poor interfaces for it. >> >> I would appreciate proposed text about hostname validation. I suspect >> this simply amounts to "please implement the RFC correctly", but if >> there's something better we can say, let's do it. > > IIRC the current Baseline Requirements by the CA/B Forum have such a > definition. It amounts to putting the domain/host name in the Subject > Alternative Name, with wildcarding defined. > > I can put together some text, if you want? > > Ralph > > > -- > Ralph Holz > I8 - Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > Phone +49.89.289.18043 > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
