On Aug 18, 2014 8:12 AM, "Paul Hoffman" <[email protected]> wrote: > > On Aug 17, 2014, at 5:38 PM, Will Sargent <[email protected]> wrote: > > > Rather than "please implement the RFC correctly", I'd say "please test that your implementation correctly implements hostname verification, using dnschef or another spoofer. I have an example here: http://tersesystems.com/2014/03/31/testing-hostname-verification/ > > So, we can't really say that using that particular implementation verifier is a Best Practice, but we *can* say that verifying that an implementation implements each of the listed best practice is itself a best practice. Separately, someone (probably not me) should create a public list of TLS implementation verification tools, and that should include dnschef (which I had not heard of before).
This is too meta. If your told "make sure X is done", then testing you do X is implied. I wouldn't want to mandate a particular tool, but it seems clear to me that "make sure your application checks it sees the right certificate" addresses the problem directly and is protocol neutral. We probably need more wording explaining that overlying applications have their one ways to do it. > > --Paul Hoffman > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
