Opened 7 years ago

Closed 7 years ago

#55 closed defect (fixed)

Security Considerations: Describe the implications of clients *not* doing certain optional checks

Reported by: eranm@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

Client behaviour is not mandated in RFC6962-bis - but the list of checks a client could do is specified.
We should document, in the Security Considerations section, what happens if a client does not perform each (or some) of these checks.
For example, the implications of not checking the validity of SCTs or not terminating a connection if there are no enough valid SCTs.

Hopefully this is an acceptable middle-ground between mandating client behaviour and not mandating it at all.

Change History (3)

comment:1 Changed 7 years ago by eranm@…

To clarify: This refers both to TLS clients and monitors not doing these checks, not just the TLS clients.

comment:2 Changed 7 years ago by benl@…

  • Milestone set to review

I presume this should become part of the threat analysis I-D.

comment:3 Changed 7 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.