On 12/7/10 2:42 PM, Stef Walter wrote: > On 2010-12-06 21:46, Peter Saint-Andre wrote: >> On 12/6/10 8:23 PM, Stef Walter wrote: >>> * Lookup untrusted assertions for CRLs. >> >> What about OCSP? > > I'll have to think about that more. I haven't planned anything concrete > for OSCP yet. > >>> Interested in any comments or insight. >> >> I've written a whole spec about just the domain name aspect of >> certificate validation, which should "soon" be published as an RFC: >> >> http://tools.ietf.org/html/draft-saintandre-tls-server-id-check >> >> You might want to have a look at that, along with some of the refernced >> specs (which provide more details about other aspects). > > Interesting. I'll look it over. > > I notice you use the terminology 'pinned certificates'. Maybe we should > use that terminology as well. Currently I've been saying 'certificate > exceptions' but that's kind of ambiguous.
Jeff Hodges and I borrowed that terminology from the W3C, although it might predate their work. It seems to be fairly common. > In your opinion does the 'pinning' of a certificate override all other > verification, or merely the identity check? Only the identity check. You still check the certification path, revocation status, etc. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
