On 2010-12-06 21:46, Peter Saint-Andre wrote: > On 12/6/10 8:23 PM, Stef Walter wrote: >> * Lookup untrusted assertions for CRLs. > > What about OCSP?
I'll have to think about that more. I haven't planned anything concrete for OSCP yet. >> Interested in any comments or insight. > > I've written a whole spec about just the domain name aspect of > certificate validation, which should "soon" be published as an RFC: > > http://tools.ietf.org/html/draft-saintandre-tls-server-id-check > > You might want to have a look at that, along with some of the refernced > specs (which provide more details about other aspects). Interesting. I'll look it over. I notice you use the terminology 'pinned certificates'. Maybe we should use that terminology as well. Currently I've been saying 'certificate exceptions' but that's kind of ambiguous. In your opinion does the 'pinning' of a certificate override all other verification, or merely the identity check? Cheers, Stef _______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
