Kyle Hamilton wrote, On 2009-02-25 14:04: > Postel's first rule of interoperability: be liberal in what you > accept, be conservative in what you send.
Yeah. Lots of nasty Internet vulnerabilities have results from applying that to crypto protocols and formats. I know, I've had to fix 'em! > Which RFC requires which? RFC 5280 says (Section 4.2.1.13, CRL Distribution Points, page 46) If the DistributionPointName contains a general name of type URI, the following semantics MUST be assumed: the URI is a pointer to the current CRL for the associated reasons and will be issued by the associated cRLIssuer. When the HTTP or FTP URI scheme is used, the URI MUST point to a single DER encoded CRL as specified in [RFC2585]. HTTP server implementations accessed via the URI SHOULD specify the media type application/pkix-crl in the content-type header field of the response. > (I had read somewhere, for example, that > wildcard certificates must be handled by HTTP over TLS servers in a > particular way -- it turns out that it wasn't part of PKIX, as I had > thought, but rather an Informational RFC regarding "HTTP over TLS".) You're referring to RFC 2818, which defines https. It is informational, but it is THE standard for https. It's up to every application protocol that uses TLS to decide and specify any aspects of certs that are required to have specific characteristics of relevance to that protocol. There are separate RFCs that specify the requirements for HTTPS (RFC 2818), for LDAPS (RFC 4513), and for IMAP, POP3 and ACAP (RFC 2595). See bug 159483 for more info on that subject. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
