On Wed, Sep 08, 2010 at 08:44:56AM -0700, Bernard Aboba wrote: > So the statement that "RFC 4985 appears to require matching of the source > domain/service type to the SRV-ID in the certificate" is correct, right? I think so. It seems pretty obvious to me from Section 2 that's what is meant: http://tools.ietf.org/html/rfc4985#section-2 ie. take the "Service" and "Name" components of the SRV record owner name (and ignore the _Proto component), and construct "_Service.Name". > If the "reference identifier" is _Service.Name then the match is being done > on the *input* to the SRV lookup process, not the output, and prohibition on > DNS lookups would not apply (or even make any sense). Yes. The output of the SRV record lookup contains a target hostname, not a service name, so it's not applicable to the SRVName name form. The target could be used in another name form (dNSName) as the reference identifier, but then the client needs to convince itself that the lookup was done securely (DNSSEC or some other means) otherwise there's a security problem. -- Shumon Huque University of Pennsylvania. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf