Re: [certid] Review of draft-saintandre-tls-server-id-check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon Sep 13 18:59:03 2010, Stefan Santesson wrote:
I agree here. Both to this and to former speakers stating that the assertion
is made by the CA and no the subject.


Well, I'd say the assertion is the presence of the SAN in the cert. I mean, an assertion is a positive statement made *without* evidence. The evidence is then the signature of the issuer, who certifies the assertion - it doesn't matter who makes that assertion. But anyway, that's somewhat moot, and as Shumon points out, we needn't care about who authorized what unto whom.


I'm struggling with the most easy to understand text, but I think this says
at least the correct thing:

"A DNS domain name, representing a domain for which the certificate issuer has asserted that the certified subject is a legitimate
       provider of the identified service."

"The requested DNS domain name for the specified service. That is, the domain name which would be found in the URI for the service, and other protocol identifiers of a similar nature. Where the service is directly requested by hostname, this domain name would be the requested hostname."

I think that covers all the cases I'd expect by example, without worrying about who's asserting and certifying. No doubt someone will reword with a sprinkling of 2119.

Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxxxxxxxxx
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]