Hi Chris,
At 11:08 20-09-2011, Chris Palmer wrote:
Is attached, now in XML. The main change is that I got rid of widely
and rightly reviled pin revocation business, and replaced it with a
better idea from Trevor Perrin. Big thanks to everyone who reviewed
and commented on the previous draft. Precisely how to generate
fingerprints is answered with working code from Adam Langley. The
gross errors that surely remain are my fault alone. :)
These comments are editorial.
Under Status of this Memo:
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Section 10 of RFC 2026 has been updated by newer RFCs.
The Copyright Notice should be according to the IETF Trust legal
provisions. This can be generated automatically ( see
www.rfc-editor.org/rfc-editor/intro_xml2rfc.pdf ).
As an example, in Section 3.3.3:
"You SHOULD attempt to get the certificate revoked by whatever means"
In terms of style, the requirement (SHOULD) should not be directed to
the reader. You could rewrite that as:
The certificate SHOULD be revoked by whatever means
In Section 3.7.4:
"CDNs MAY, and SHOULD, also use certificate pinning independently of
any of their customers."
There is always some long discussion in the IETF about RFC 2119. To
keep it simple, don't say MAY and SHOULD do X. The MAY is not needed
in this case.
Think about the Security Considerations section. Some of the
existing text could go under there.
As you are defining a new HTTP header field, add an IANA
Considerations section for it to be registered. You can deal with
that as the work on the I-D progresses.
Don't read any of the above as gross errors. :-)
Regards,
-sm
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
