On Apr 3, 2012, at 1:27 PM, Alexey Melnikov wrote: > 8.3. Errors in Secure Transport Establishment > > When connecting to a Known HSTS Host, the UA MUST terminate the > connection (see also Section 11 "User Agent Implementation Advice", > below) if there are any errors (e.g., certificate errors), whether > "warning" or "fatal" or any other error level, with the underlying > secure transport. This includes any issues with certificate > revocation checking whether via the Certificate Revocation List (CRL) > [RFC5280], or via the Online Certificate Status Protocol (OCSP) > [RFC2560]. > > This was discussed in Paris, but I had this in my notes already and would > like to emphasize this: I assume that explaining the reason for the failure > to the user (without letting the user to opt-out) is Ok? I think the document > needs to make it clear that this is not prohibited.
Disagree. There are plenty of things that are not prohibited by this (or any other) protocol that go unmentioned. I don't see anything in this paragraph that indicates that such messages are even discouraged, so the proposed addition is unnecessary. It might be confusing, in that it will be the only place where optional messages are allowed. --Paul Hoffman _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
