[Openid-specs-fapi] Issue #646: NOTE in 5.2.1 has "can" (openid/fapi)
Nat
issues-reply at bitbucket.org
Tue Jan 9 06:17:58 UTC 2024
New issue 646: NOTE in 5.2.1 has "can"
https://bitbucket.org/openid/fapi/issues/646/note-in-521-has-can
Nat Sakimura:
Currently, it goes:
> NOTE: Even if an endpoint uses only organization validated \(OV\) or extended validation \(EV\) TLS certificates, rogue domain-validated certificates can be used to impersonate the endpoint and conduct man-in-the-middle attacks. CAA records \[RFC8659\] can help to mitigate this risk.
“Can” is a keyword and is probably better avoided in the NOTES as far as possible per clause subclause 24.6 of ISODIR2. \(It prohibits the use of shall, should, may.\) Also, it is using a passive voice, which should be avoided.
Perhaps we can make it so that:
> NOTE: Even if an endpoint uses only organization validated \(OV\) or extended validation \(EV\) TLS certificates, **an attacker using** rogue domain-validated certificates ~~can be used to~~ **is able to** impersonate the endpoint and conduct man-in-the-middle attacks. CAA records \[RFC8659\] ~~can~~ help to mitigate this risk.
Also, add CAA to the abbreviations.
More information about the Openid-specs-fapi
mailing list