On 9/13/10 1:18 PM, Dave Cridland wrote: > On Mon Sep 13 19:48:56 2010, Peter Saint-Andre wrote: >> On 9/13/10 11:05 AM, Dave Cridland wrote: >> > Looking at the draft, it seems to read that I should check dNSName >> > first, and then, only if this matches, check xmppAddr or sRVName. This >> > seems odd - sRVName and xmppAddr (and URI) all contain a superset of >> the >> > data contained, so why look at dNSName if a more specific match exists? >> >> Earlier versions of this draft had somewhat elaborate rules about >> ordering of reference identifiers. Those rules were removed in -09 >> because folks on the certid@xxxxxxxx list argued persuasively that they >> were not necessary because "first match wins" is good enough. Naturally, >> an implementation might have a preference order of reference >> identifiers, but such an order is not mandated by this I-D. > > Ah, I see my confusion. §4.4 says: > > 4.4. Verifying a Domain Name > > The client MUST match the source domain of a reference identifier > according to the following rules > > And §4.5 says: > > 4.5. Verifying an Application Type > > A client SHOULD check not only the domain name but also the service > type of the service to which it connects. > > Now, I misconstrued that to mean "MUST use dNSName, SHOULD use sRVName", > which is purely me misreading. > > Up to you whether you think other people will be as silly as me, and > what to do about it if so. A forward reference seem appropriate: The client MUST match the source domain of a reference identifier according to the following rules (and SHOULD also check the service type as described under Section 4.5). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf