ietf
[Top] [All Lists]

Re: [TLS] Metadiscussion on changes in draft-ietf-tls-renegotiation

2010-01-27 11:32:02
Peter Gutmann wrote:

Martin Rex <mrex(_at_)sap(_dot_)com> writes:

That implementors should ignore at least half of the MUSTs and SHOULDs
in IETF documents, because they don't make any sense, create unnecessary
interop problems or are otherwise harmful -- and should not be in the
document in the first place?

<aside>That's been the standard for PKIX RFCs for at least ten years
(actively acknowledged by WG mmembers), although perhaps its spread
to other groups should be discouraged.</aside>

I fully agree.

That may be attributed to the fact that a large part of PKIX is dealing
with policy issues with the objective to prevent/prohibit interoperability.

When providing software (updates) to an installed base, it is not
exactly easy to "sell" them interoperability problems, which is one
reason why the adoption speed for some PKIX features is poor.

And then there are the serious security problems created by some
of the PKIX features themselves, like AIA (Authority Identifier Access).
But basically it applies to all URLs in certs that you can use
to coerce a server in order to perform a network access of
resources according to the desire of the presenter of the certificate.

-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf