On 18 Aug 2014, at 17:11, Paul Hoffman <[email protected]> wrote:
> On Aug 17, 2014, at 5:38 PM, Will Sargent <[email protected]> wrote: > >> Rather than "please implement the RFC correctly", I'd say "please test that >> your implementation correctly implements hostname verification, using >> dnschef or another spoofer. I have an example here: >> http://tersesystems.com/2014/03/31/testing-hostname-verification/ > > So, we can't really say that using that particular implementation verifier is > a Best Practice, but we *can* say that verifying that an implementation > implements each of the listed best practice is itself a best practice. > Separately, someone (probably not me) should create a public list of TLS > implementation verification tools, and that should include dnschef (which I > had not heard of before). We also need to consider protocols where the hostname is not part of the verification process. SIP currently have the SIP domain, not the server hostname, in the certificate. There are other protocols than HTTP out there. :-) /O _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
