At 11:29 PM -0400 7/17/10, Shumon Huque wrote: >On Thu, Jul 15, 2010 at 04:29:07PM -0700, Paul Hoffman wrote: >> At 4:08 PM -0700 7/15/10, The IESG wrote: >> >The IESG has received a request from an individual submitter to consider >> >the following document: >> > >> >- 'Representation and Verification of Domain-Based Application Service >> > Identity in Certificates Used with Transport Layer Security ' >> > <draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard >> >> >> The middle of Section 4.2 says: >> The client then orders the list in accordance with the following >> rules: >> Then, in 4.3, it checks each reference in this ordered list until >> it (hopefully) finds a match. Given that it is going to do an >> exhaustive search, what is the purpose of ordering? > >Not sure I'm following your question, but the purpose of ordering >is to look for the subject identities in preference order (SRV/URI, >before dNSName, before Common Name etc). Once a match is found, >the search is aborted; an exhaustive search is only performed if >the matched identity is the last one or there is no match. Section >4.3 has: > > It does so by seeking a match in preference order > and aborting the search if any presented identifier matches one of > its reference identifiers. The search fails if the client exhausts > its list of reference identifiers without finding a match. I understand that, but what is the advantage of searching in the preferred order over, say, searching in random order of the pile? I don't see an advantage of getting a result from the more-preferred identity if you are eventually going to accept anything. If there is no advantage, the "sort the pile before searching" step adds complexity without benefit, and thus should be dropped. If there is some advantage, I'm fine with it being there. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf