- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 03 Sep 2007 12:35:14 +0100
- To: stephen.farrell@cs.tcd.ie, public-wsc-wg@w3.org
Thomas Roessler wrote:
> On 2007-08-29 15:52:11 +0000, Web Security Context Working Group
> Issue Tracker wrote:
>
>> ISSUE-106 (cert/URL matching): We need to define details of
>> cert/URL matching [Techniques]
>
>> http://www.w3.org/2006/WSC/track/issues/
>
>> Raised by: Stephen Farrell
>> On product: Techniques
>
>> If we are react to certs that don't match a URL then we need a
>> well defined matching rule
>
> So, we say that "if cert doesn't match, blah blah, then..." -- for
> that, the rules in RFC 2818 (https) combined with RFC 3280 (pkix)
> would seem to be sufficient.
>
> Are you suggesting that we just reference these two documents, or do
> you have something deeper in mind?
We should definitely reference them. But we should also rethink
if necessary, e.g. 2818 mandates preferring dNSName subjectAltName
if present - I'm wondering if anyone in fact uses that and if not
if we should recommend something else; 2818 also doesn't mention
domainComponent ("dc=") which is all over the place in 3280bis
(I guess as one of the co-authors of that I should be the one to
re-read it for this;-) but I'm not sure how much dc= is really
in use.
So, we need to reference and maybe re-validate 2818, 3280 and
3280bis (which is now finished all LCs in the IETF), before we
close this issue.
S.
>
> Thanks,
Received on Monday, 3 September 2007 11:35:29 UTC