NOTE in 5.2.1 has "can"

Currently, it goes:

NOTE: Even if an endpoint uses only organization validated (OV) or extended validation (EV) TLS certificates, rogue domain-validated certificates can be used to impersonate the endpoint and conduct man-in-the-middle attacks. CAA records [RFC8659] can help to mitigate this risk.

“Can” is a keyword and is probably better avoided in the NOTES as far as possible per clause subclause 24.6 of ISODIR2. (It prohibits the use of shall, should, may.) Also, it is using a passive voice, which should be avoided.

Perhaps we can make it so that:

NOTE: Even if an endpoint uses only organization validated (OV) or extended validation (EV) TLS certificates, an attacker using rogue domain-validated certificates ~~can be used to~~ is able to impersonate the endpoint and conduct man-in-the-middle attacks. CAA records [RFC8659] ~~can~~ help to mitigate this risk.

‌

‌

Comments (3)