Re: Review of draft-saintandre-tls-server-id-check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 10-09-08 9:53 PM, "Shumon Huque" <shuque@xxxxxxxxxxxxx> wrote:

>> If the "reference identifier" is  _Service.Name then the match is being done
>> on the *input* to the SRV lookup process, not the output, and prohibition on
>> DNS lookups would not apply (or even make any sense).
> 
> Yes.
> 
> The output of the SRV record lookup contains a target hostname,
> not a service name, so it's not applicable to the SRVName name
> form. The target could be used in another name form (dNSName)
> as the reference identifier, but then the client needs to convince
> itself that the lookup was done securely (DNSSEC or some other
> means) otherwise there's a security problem.

I disagree,

A client can use the output from the DNS lookup also from a normal insecure
DNS server.

The only thing the client need to do is to verify that the domain name
provided in the input to the lookup matches the host names provided in the
output. It can then safely use the host names in the SRV record as reference
identifiers IF the SRV-ID in the server certificate matches the the
reference identifier.

A false host represented by a false identifier from a bad DNS server will
not be able to present a trusted certificate that supports it's claim to be
an authorized provider of the requested service for the domain in question.

/Stefan
 


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]