On 08/30/2012 11:41 AM, Tim Moses wrote: > And for issuers, it can be difficult to predict what proportion of the user > population will accept a certificate chain with certain characteristics. For > instance, when a browser includes a nonce in an OCSP request but the server > supplies a response that does not include the nonce, it is hard to know which > browsers will accept and which will reject the response.
This is stated as a concern primarily for issuers, but it is arguably
more of a concer for certificate holders than for issuers, if i'm
reading it correctly.
There are 4 parties involved in web pki fwict:
* web clients (mostly the users of web browsers, as far as i can make
out in this proposaL)
* certificate issuers
* software developers and vendors
* certificate holders
The charter proposal here speaks directly to the first three categories,
but doesn't seem to explicitly address the last category. Is it worth
mentioning them explicitly?
Also, i wonder about the scoping of web clients specifically to the
users of browsers. While this is convenient for discussion, web
protocols are used heavily as transport backends and automated contexts
as well. For example, HTTPS is required for CALDAV; it's used by many
RSS feedreaders; and it's used as a backend transport for federated
messaging systems.
Currently, i think the clarification about "other applications are
explicitly out of scope" a bit ambiguous, because it's not clear where
to draw the line between, say, S/MIME e-mail certificates (clearly out
of scope) and a human in front of a web browser (clearly in-scope).
should that line be more clearly drawn?
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
