From b87481c8ccc575ef5c3a0b113831e92724512b81 Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Mon, 20 Apr 2020 11:10:25 -0400 Subject: [PATCH] MUST verify => MUST NOT accept on fail --- draft-ietf-quic-http.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-http.md b/draft-ietf-quic-http.md index c0761c4131..506c7a1272 100644 --- a/draft-ietf-quic-http.md +++ b/draft-ietf-quic-http.md @@ -403,7 +403,10 @@ hostname in the URI is present in the authenticated certificate provided by the server, either as the CN field of the certificate subject or as a dNSName in the subjectAltName field of the certificate (see {{!RFC6125}}). For a host that is an IP address, the client MUST verify that the address appears as an iPAddress -in the subjectAltName field of the certificate. +in the subjectAltName field of the certificate. If the hostname or address is +not present in the certificate, the client MUST NOT consider the server +authoritative for origins containing that hostname or address. See Section 5.4 +of {{!SEMANTICS}} for more detail on authoritative access. Clients SHOULD NOT open more than one HTTP/3 connection to a given host and port pair, where the host is derived from a URI, a selected alternative service