[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: I-D Action: draft-melnikov-pop3-over-tls-01.txt

--On August 19, 2011 12:21:14 +0100 Alexey Melnikov <alexey.melnikov@xxxxxxxxx> wrote:
Hi Chris,
My personal replies are (without consulting with Mykyta):

Chris Newman wrote:

From a technical viewpoint, I have two suggestions:

Add to section 2.1:

Servers that lack configuration to accept an X.509 client certificate
authentication purposes MUST NOT send a CertificateRequest handshake to
the client
 during TLS negotiation.

I am wondering whether this is actually possible to enforce using
existing TLS stacks. I would rather not make this a MUST NOT level
requirement if there are no APIs for this in, for example, OpenSSL.

I'd be fine with a SHOULD NOT.

It's an important usability issue -- many clients pop up an intrusive "certificate selection dialog" if the server asks for a certificate. The NSS APIs support this check although the APIs to do so are difficult to use and non-obvious (you have to search for a cert with a client-certificate CA trust flag in the certificate db).

		- Chris