On 09/15/2012 11:02 AM, Tim Moses wrote: > Filename: draft-moses-webpki-trustmodel > Revision: 01
Thanks for the new version, Tim. I think it's an improvement on the old
one.
However, in the new version, section 3.2 (Certificate using product uses
OS root store) still retains the following clause, which is absent in
both the "basic trust model" and the "trust model variants":
It may then apply additional
checks, such as checking that the certificate subject's domain name
matches that requested by the certificate user.
I'm pretty sure these "additional checks" are critical to most
legitimate use cases on the web. If i browse to site X and it presents
a valid certificate that's only valid or site Y, the browser should not
accept it.
So i really don't think you want the term "additional" here
("additional" makes it sound like those checks are unimportant).
And i also think this description of what sort of requested name-to-cert
validation (and other criteria, like looking for certain X.509v3
extensions?) should span the various defined trust models, rather than
being isolated to a single "variant".
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
