- From: Ryan Hamilton <rch@google.com>
- Date: 2017年7月18日 11:47:58 -0700
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Patrick McManus <mcmanus@ducksong.com>, Emily Stark <estark@google.com>, Nick Sullivan <nicholas.sullivan@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>, Piotr Sikora <piotrsikora@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAJ_4DfQEAP4iv5Q7kgmZ5A2MBqsWvEQ+XOh5rgMVRLqsD2gpPA@mail.gmail.com>
On Tue, Jul 18, 2017 at 9:41 AM, Mike Bishop <Michael.Bishop@microsoft.com> wrote: > I'd either say something like "Clients opting not to check DNS SHOULD > employ some alternative means to increase confidence that the certificate > is legitimate, such as Certificate Transparency or revocation checks," or > just stop after the first sentence. If it's a MAY, then it's up to the > clients under what specific conditions they employ it. The main reason, in > my mind, for adding the second sentence is to inform less-security-aware > developers that they shouldn't just toss DNS out the window without having > something else in hand. > This seems like the right direction to me.
Received on Tuesday, 18 July 2017 18:48:26 UTC