To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>, EPP Provreg <ietf-provreg@cafax.se>
From:
James Gould <jgould@verisign.com>
Date:
Tue, 14 Apr 2009 09:27:20 -0400
In-Reply-To:
<046F43A8D79C794FA4733814869CDF07029FD729@dul1wnexmb01.vcorp.ad.vrsn.com>
Sender:
owner-ietf-provreg@cafax.se
Thread-Index:
Acm8NJmzYO33/ZvpQjq+pbJCVGlx1QATEQdWABw02xAABMLdUg==
Thread-Topic:
[ietf-provreg] AD Review Comments:draft-hollenbeck-rfc4934bis-00
User-Agent:
Microsoft-Entourage/12.15.0.081119
Subject:
Re: [ietf-provreg] AD Review Comments: draft-hollenbeck-rfc4934bis-00
Title: Re: [ietf-provreg] AD Review Comments: draft-hollenbeck-rfc4934bis-00 Scott,
From: Gould, James
Sent: Monday, April 13, 2009 5:43 PM
To: Hollenbeck, Scott; EPP Provreg
Subject: Re: [ietf-provreg] AD Review Comments: draft-hollenbeck-rfc4934bis-00
Scott,
We’re implementing SSL using JSSE in our Java EPP SDK, but I’m not sure if JSSE sends a TLS_close_notify alert before the connection is closed.
--
JG
-------------------------------------------------------
James F. Gould
Principal Software Engineer
VeriSign Naming Services
jgould@verisign.com
Direct: 703.948.3271
Mobile: 703.628.7063
21345 Ridgetop Circle
LS2-2-1
Dulles, VA 20166
Notice to Recipient: This e-mail contains confidential, proprietary and/or Registry Sensitive information intended solely for the recipient and, thus may not be retransmitted, reproduced or disclosed without the prior written consent of VeriSign Naming and Directory Services. If you have received this e-mail message in error, please notify the sender immediately by telephone or reply e-mail and destroy the original message without making a copy. Thank you.
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
Date: Mon, 13 Apr 2009 08:37:25 -0400
To: EPP Provreg <ietf-provreg@cafax.se>
Subject: [ietf-provreg] AD Review Comments: draft-hollenbeck-rfc4934bis-00
Some feedback from Alexey on the new TLS Usage Profile text in 4934bis.
I now need implementer feedback.
>> A client MUST close the associated TLS connection if the connection
>> is not expected to deliver any EPP messages later. It MUST send a
>> TLS close_notify alert before closing the connection.
>>
> As an implementor I remain skeptical that existing implementations do
> that. At least I doubt many IMAP or SMTP servers do that. So maybe you
> should check how existing EPP implementations handle connection
closure.
What are you implementers doing?
> I think the text about how to extract and verify domain information
from
> X.509 certificates is still missing from your draft. I think that what
> Chris wanted you to do and I am in agreement with him on this.
> I see some text on this in Section 8, but I think it is a bit too
short.
> Check section 2.2.1 of draft-ietf-sieve-managesieve-09.txt. It
probably
> contains 80% of what EPP should use.
Comments, please. I've sent a note to Alexey pushing back on this
because (in my opinion) this puts mandates on client and server
certificate validation behavior that don't affect EPP interoperability.
If I'm wrong, I'd prefer to cite an existing mature reference instead of
cloning text from an unapproved I-D. Does anybody know of one?
-Scott-