Hi Martin,
I'm not sure about your erratum, when taken in context. The very next
paragraph says:
It is noted that the requirements regarding host name validation (and,
in general, binding between the TLS layer and the protocol that runs
above it) vary between different protocols. For HTTPS, these
requirements are defined by Section 3 of [RFC2818].
This is very much in line with your explanation.
Thanks,
Yaron
On 05/08/2015 09:47 PM, RFC Errata System wrote:
The following errata report has been submitted for RFC7525,
"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS)".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=7525&eid=4360
--------------------------------------
Type: Technical
Reported by: Martin Rex <[email protected]>
Section: 6.1
Original Text
-------------
6.1. Host Name Validation
Application authors should take note that some TLS implementations do
not validate host names. If the TLS implementation they are using
does not validate host names, authors might need to write their own
validation code or consider using a different TLS implementation.
Corrected Text
--------------
6.1. Host Name Validation
Application authors should take note that the TLS protocol explicitly
defers checking of names and attributes of end-entity certificates
to applications, see last sentence of RFC5246 , Section 1 (TLSv1.2).
Some TLS implementations may offer a convenience function to perform
a server endpoint identification according to RFC 2818, Section 3
(HTTP over TLS). For TLS implementations without such a convenience
function, and for applications with different server identification
schemes, application implementors may have to write the necessary
code themselves.
Notes
-----
TLSv1.0 (rfc2246), TLSv1.1 (rfc4346) and TLSv1.2 (rfc5246) are quite
clear in that the original text is misleading on the actual properties
provided by a TLS implementation itself:
https://tools.ietf.org/html/rfc5246#page-5
how to interpret the authentication certificates
exchanged are left to the judgment of the designers and implementors
of protocols that run on top of TLS.
Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.
--------------------------------------
RFC7525 (draft-ietf-uta-tls-bcp-11)
--------------------------------------
Title : Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)
Publication Date : May 2015
Author(s) : Y. Sheffer, R. Holz, P. Saint-Andre
Category : BEST CURRENT PRACTICE
Source : Using TLS in Applications
Area : Applications
Stream : IETF
Verifying Party : IESG
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
