[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] 3rd WGLC for draft-ietf-tls-exported-authenticators
From: Watson Ladd <watsonbladd () gmail ! com>
Date: 2020-06-05 11:29:13
Message-ID: CACsn0cnRtPmvJVK+_A+Nw3=RoHT+riUPXhhuZafOZSrj9AuOMQ () mail ! gmail ! com
[Download RAW message or body]
On Thu, Jun 4, 2020 at 9:48 PM Sean Turner <sean@sn3rd.com> wrote:
>
> Another reminder ...
>
> > On May 22, 2020, at 09:23, Sean Turner <sean@sn3rd.com> wrote:
> >
> > This is the 3rd WGLC for "Exported Authenticators in TLS" draft available at \
> > https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/. The \
> > secdir review during IETF LC raised some issues and as a result there have been a \
> > couple of new versions. Please respond to the list with any comments by 2359 UTC \
> > on 8 June 2020.
I've implemented earlier drafts. I do have a concern with the
validate API as presented in the draft: it treats empty authenticators
as valid, and then returns the identity as a certificate chain that
must be validated by the application. Similar APIs have lead to easily
foreseeable pwnage. Instead I would recommend the validate API carry
out X509 validation against a trust store or validation function and
treat the empty authenticator as invalid. That way someone has to
think before not checking the certificate returned.
Sincerely,
Watson Ladd
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic