On 9/13/10 11:59 AM, Stefan Santesson wrote: > > > On 10-09-13 7:03 PM, "Shumon Huque" <shuque@xxxxxxxxxxxxx> wrote: >>> >>> Authorized by whom? I *think* that here the DNS domain name is one that >>> the certified subject has itself authorized (perhaps even "established" >>> is better) to provide the desired service. Therefore I suggest an >>> alternative wording: >>> >>> "A DNS domain name which the certified subject has >>> authorized to provide the identified service." >>> >>> Peter >> >> I don't think the term "authorized" makes the situation any >> clearer. >> >> Let's take a concrete example: an IMAP client attempting to >> connect to and use the IMAP service at "example.com". >> >> It needs to lookup the "_imap._tcp.example.com." DNS SRV record >> to figure out which servers and ports to connect to. >> >> And in the presented certificate, it needs to expect to find an >> SRVName identifier with "_imap.example.com" as its contents, >> where the _Service and Name components were the same ones it used >> in the SRV query. >> >> There is no need to figure out who authorized what. > > I agree here. Both to this and to former speakers stating that the assertion > is made by the CA and no the subject. > > I'm struggling with the most easy to understand text, but I think this says > at least the correct thing: > > "A DNS domain name, representing a domain for which the certificate > issuer has asserted that the certified subject is a legitimate > provider of the identified service." +1 _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf