-
Type: Bug
-
Status: New
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: TAXII Version 2.0 CSPRD01
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
Conformance
-
Proposal:
8.3.1 Client Certificate Verification reads:
*****
TAXII 2.0 servers MAY choose to verify a client’s certificate and use it for authentication. TAXII Servers supporting client certificate verification and authentication MUST follow the normative requirements listed in this section.
● The default strategy for TAXII Servers authenticating and verifying certificates SHOULD be PKIX as defined in [RFC5280], [RFC6818], [RFC6125] et al.
● It MAY support other certificate verification policies such as Certificate Pinning.
*****
So a TAXII Server MAY verify a TAXII client certificate, if yes, then MUST..., follow a SHOULD or a MAY?
Really?
How about down to the MUST and then:
*****
Use PRIX as defined in [RFC5280], [RFC6818], [RFC6125] et al., or
Support other certificate verification policies such as Certificate Pinning.
*****
Reasoning that if a TAXII server chooses (the first MAY) to verify a client certificate, then either it uses PKIX or some other verification policy.
Otherwise, you have a MUST that has no failure condition. Yes?