Re: Review of draft-saintandre-tls-server-id-check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon Sep 13 19:48:56 2010, Peter Saint-Andre wrote:
On 9/13/10 11:05 AM, Dave Cridland wrote:
> Looking at the draft, it seems to read that I should check dNSName
> first, and then, only if this matches, check xmppAddr or sRVName. This > seems odd - sRVName and xmppAddr (and URI) all contain a superset of the > data contained, so why look at dNSName if a more specific match exists?

Earlier versions of this draft had somewhat elaborate rules about
ordering of reference identifiers. Those rules were removed in -09
because folks on the certid@xxxxxxxx list argued persuasively that they were not necessary because "first match wins" is good enough. Naturally,
an implementation might have a preference order of reference
identifiers, but such an order is not mandated by this I-D.

Ah, I see my confusion. §4.4 says:

4.4. Verifying a Domain Name

  The client MUST match the source domain of a reference identifier
  according to the following rules

And §4.5 says:

4.5. Verifying an Application Type

  A client SHOULD check not only the domain name but also the service
  type of the service to which it connects.

Now, I misconstrued that to mean "MUST use dNSName, SHOULD use sRVName", which is purely me misreading.

Up to you whether you think other people will be as silly as me, and what to do about it if so.

Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxxxxxxxxx
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]