On 9/8/10 8:21 AM, Stefan Santesson wrote: > My apology, > > I just realized that the document defines "source domain" as what I thought > would be the "target domain" > > source domain: The fully-qualified DNS domain name that a client > expects an application service to present in the certificate. > > Which makes my comments below a bit wrong. > > I think it would be better to discuss this in terms of "reference > identifier" and "presented Identifier". > > presented identifier: An identifier that is presented by a server to > a client within the server's PKIX certificate when the client > attempts to establish a secure connection with the server; the > certificate can include one or more presented identifiers of > different types. > > reference identifier: An identifier that is used by the client for > matching purposes when checking the presented identifiers; the > client can attempt to match multiple reference identifiers of > different types. > > I see no problem in obtaining the reference identifier from a DNS lookup an > the comparing it with a presented identifier in the certificate. > > Why would you require the reference identity to be provided by a human user? Because the user is trying to connect to (say) a source domain of example.com, not a target domain of apps.hosting.net. Jeff and I have assumed all along that normal humans don't know anything about such hosting services or other delegated parties (heck, normal humans know very little about SSL/TLS or certificates or DNS resolution or any of the other magic that happens behind the scences, but we assume that normal humans at least think they want to connect to bigbank.com and not possiblyshadydelegationservice.info). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf