[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: I-D Action: draft-melnikov-pop3-over-tls-01.txt
--On August 19, 2011 12:21:14 +0100 Alexey Melnikov
My personal replies are (without consulting with Mykyta):
Chris Newman wrote:
From a technical viewpoint, I have two suggestions:
Add to section 2.1:
Servers that lack configuration to accept an X.509 client certificate
authentication purposes MUST NOT send a CertificateRequest handshake to
during TLS negotiation.
I am wondering whether this is actually possible to enforce using
existing TLS stacks. I would rather not make this a MUST NOT level
requirement if there are no APIs for this in, for example, OpenSSL.
I'd be fine with a SHOULD NOT.
It's an important usability issue -- many clients pop up an intrusive
"certificate selection dialog" if the server asks for a certificate. The
NSS APIs support this check although the APIs to do so are difficult to use
and non-obvious (you have to search for a cert with a client-certificate CA
trust flag in the certificate db).