On 2014-10-24 19:29, Peter Saint-Andre wrote: > >> On Oct 24, 2014, at 10:51 AM, Ilari Liusvaara <[email protected]> >> wrote: >> >>> On Fri, Oct 24, 2014 at 05:21:03PM +0200, Leif Johansson wrote: >>> >>> Folks, >>> >>> This email starts a 2 week WGLC for draft-ietf-uta-tls-bcp-06. Please >>> provide your comments no later than Friday the 7th of November. >> >> >> Should there be anything about ensuring that trust anchors are >> properly validated? After all, path validation doesn't mean much >> if there are trivial ways to bypass it. > > Referencing RFC 5280 and RFC 6125 might be enough in this context. >
Maybe stick that in the security considerations section? > Peter > >> >> There have been programs that do proper validation of names, >> but: >> >> 1) Accept inapporiate self-signed certificates. >> 2) Accept any certificate signed by a "CA" (don't validate TAs). >> 3) Both 1 and 2 at once. >> >> >> The set of apporiate trust anchors is obviously application-specific >> and could even include EE certificates (or RFC 7250 RPKs). >> >> >> >> -Ilari >> >> _______________________________________________ >> Uta mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/uta _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
