5.1.5.3 Security Consideration Citations
Implementers of this protocol are advised to consider the following security precautions:
A client or server has to follow generally accepted principles of secure key management. For more information, see section 9 of [RFC3280]. For an introduction to these generally accepted principles, see [CRYPTO] and [HOWARD].
Clients and servers should validate cryptographic parameters prior to issuing or accepting certificates. For more information, see section 9 of [RFC2797].
Clients and servers should validate and verify certificate path information identified in section 6 of [RFC3280]. See section 9 of [RFC3280] for more information on the requirement for certificate path validation.
Clients and servers should validate and verify the freshness of revocation information of all digital certificates prior to usage, trust, or encryption as identified in section 6.3 of [RFC3280]. See section 9 of [RFC3280] for more information on the requirement for revocation freshness.
A client or server should follow all security considerations in section 5 of [RFC2560].
A client or server should follow all security considerations discussed throughout [RFC2315] and [RFC2986], because neither normative reference has a specific security section.
Clients and servers should use an authenticated HTTP session between client and server to mitigate denial of service attacks. For more information on generic denial-of-service (DoS) mitigation techniques, see [HOWARD].