At 10:08 AM -0600 9/13/10, Peter Saint-Andre wrote: >As I see it, this I-D is attempting to capture best current practices >regarding the issuance and checking of certificates containing >application server identities. Do we have evidence that any existing >certification authorities issue certificates containing both an SRVname >for the source domain (e.g., example.com) and dNSName for the target >domain (e.g., apphosting.example.net)? Do we have evidence that any >existing application clients perform such checks? If not, I would >consider such complications to be out of scope for this I-D. A big +1 here. It is a Good Thing that people are starting to look at the interaction between SRV and security (it's also happening on the keyassure list), but it definitely seems like "starting to look at". Please do not instantiate anything until this has been discussed more widely. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf