On Aug 17, 2014, at 5:38 PM, Will Sargent <[email protected]> wrote:
> Rather than "please implement the RFC correctly", I'd say "please test that > your implementation correctly implements hostname verification, using dnschef > or another spoofer. I have an example here: > http://tersesystems.com/2014/03/31/testing-hostname-verification/ So, we can't really say that using that particular implementation verifier is a Best Practice, but we *can* say that verifying that an implementation implements each of the listed best practice is itself a best practice. Separately, someone (probably not me) should create a public list of TLS implementation verification tools, and that should include dnschef (which I had not heard of before). --Paul Hoffman _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
