> I think something similar to this is fine, perhaps just emphasising that
> a publicly-trusted certificate is required. Yes, that's vague, but I
> think it will be understood. (And see below for a further comment about
> that.)
>
> As an unrelated thought, have you considered standardising on the root
> store? I admit not thinking a lot about it, but it's tempting. Given
> that there is currently little proper certificate validation in SMTP, I
> suspect that many clients and servers use stores that are not up to
> date. Saying something like "you must use Mozilla's root store and you
> must update it at least once a day/week/month", would preempt a great
> number of problems in practice IMO. Of course, politics might get in the
> way, and attaching to any one store is dangerous, but at least Mozilla
> have been doing a good job, historically.
Speaking as an individual I don't think its appropriate to reference
mozillas (or anyone else's) trust management process unless it is open
and subject to similar open governance as the IETFs process is.
Instead why not say something like this:
MTAs implementing this specification SHOULD rely on common techniques
for keeping a set of trust anchors relevant for the use in validating
TLS connections for HTTP updated and current.
possibly combining something like that with those lines from HSTS
Cheers Leif
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
