- changed status to resolved
RFC 6125 refrence
When referencing RFC 6125 you need to provide more details. In particular, you need to pretty much answer every question in section 3 of RFC 6125: https://tools.ietf.org/html/rfc6125#section-3
One example of how this might look like is in Section 9.2 of https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-rtr-rfc6810-bis/?include_text=1. For your convenience the relevant text is pasted below:
Routers MUST also verify the cache's TLS server certificate, using subjectAltName dNSName identities as described in [RFC6125], to avoid man-in-the-middle attacks. The rules and guidelines defined in [RFC6125] apply here, with the following considerations:
Support for DNS-ID identifier type (that is, the dNSName identity
in the subjectAltName extension) is REQUIRED in rpki-rtr server
and client implementations which use TLS. Certification
authorities which issue rpki-rtr server certificates MUST support
the DNS-ID identifier type, and the DNS-ID identifier type MUST
be present in rpki-rtr server certificates.
DNS names in rpki-rtr server certificates SHOULD NOT contain the
wildcard character "*".
rpki-rtr implementations which use TLS MUST NOT use CN-ID
identifiers; a CN field may be present in the server
certificate's subject name, but MUST NOT be used for authentication within the rules described in [RFC6125].
The only thing missing from the above is explicit mentioning that SRV-ID and URI-ID are not used. (I think the same should apply to your document.)
Comments (1)
-
reporter - Log in to comment
fixes
#62- Alexey Melnikov Discuss→ <<cset 06dd9456f485>>