|Main Archive Page > Month Archives > ipsec archives|
Tero, thanks for the comments and the clarification on how to read a lower case must. I do have a few more comments.
>So implementations cannot just search uppercase "MUST/SHOULD/MAY"
>texts and assume it is enough to make sure those are correct. It also
>needs to do what the text says...
I think most implementers focus on the MUST and SHOULDs and then apply common sense to the remaining text.
>> CRL checking is not cheap and
>> performing CRL checking when selecting a certificate seems like an
>> usability feature to me.
>The you probably want to make change to the current text which says
>you must do it...
Correct. I think when selecting a certificate that consulting revocation information is a lower case should or could at best. I agree that on the accepting side a lower case must is appropriate for revocation checking from an interoperability perspective. By that I mean the failure to do so will not hinder interoperability, but from a security perspective it really should be done.
z/OS Comm Server Developer
Tie line: 620-4055