Peter, On 10-09-13 6:08 PM, "Peter Saint-Andre" <stpeter@xxxxxxxxxx> wrote: > > Hi Shumon, > > As I see it, this I-D is attempting to capture best current practices > regarding the issuance and checking of certificates containing > application server identities. Do we have evidence that any existing > certification authorities issue certificates containing both an SRVname > for the source domain (e.g., example.com) and dNSName for the target > domain (e.g., apphosting.example.net)? Do we have evidence that any > existing application clients perform such checks? If not, I would > consider such complications to be out of scope for this I-D. > > That said, we need to be aware that if such usage arises in the future, > someone might write a document that updates or obsoletes this I-D; in > fact the present authors very much expect that such documents will > emerge after the Internet community (specifically certification > authorities, application service providers, and application client > developers) have gained more experience with PKIX certificates in the > context of various application technologies. > > Peter I would like to turn the question around and ask why this specification need to have an opinion on whether a relying party feels he have to check both host name and service? I'm not against describing the typical case, as long as this specification does not imply that a relying party that has a reason to check two name types is doing something wrong. I have no extremely good examples of practical implementation here but checking both host name and service seems like both extremely easy and good practice. /Stefan _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf