Peter, After the past discussions, the remaining things on my review list are: General: consider substituting ³PKIX-based systems² and ³PKIX Certificates² with ³PKI systems based on RFC 5280² and ³RFC 5280 Certificates², alternatively include [PKIX] brackets to clarify that it references RFC 5280. General: I would consider stating that server certificates according to this profile either MUST or SHOULD have the serverAuth EKU set since it is allways related to the use of TSL and server authentication. At least it MUST be set when allowing checks of the CN-ID (see 2.3 below). 1.3.2 and section 3 SRVName is described as an extension in 1.3.2, but is in fact a Subject Alt Name (otherName form) RFC 4985. This error is repeated in section 3, bullet 4, on page 16. 1.1. s/an application services/an application service 1.2 I find the following text is hard to understand: ³(this document addresses only the DNS domain name of the application service itself, not the entire trust chain)² I¹m not sure what the DNS domain name has to do with checking the entire trust chain. Further, this document discuss more name forms than the DNS domain name. Perhaps this sentence was meant to say: "(this document only addresses name forms in the leaf server certificate, not any name forms in the chain of certificate used to validate the server certificate)" 2.3 It would be good if we could restrict the use of CN-ID for storing a domain name to the case when the serverAuth EKU is set. Requiring the EKU reduce the probability that the CN-ID appears to be a domain name by accident or is a domain name in the wrong context. In many deployments, this also affects the name constraints processing to perform domain name constraints also on the CN attribute. There should at least be a rule stating that any client that accepts the CN attribute to carry the domain name MUST also perform name constraints on this attribute using the domain name logic if name constraints is applied to the path. Failing this requirement poses a security threat if the claimed domain name in CN-ID violated the name constraints set for domain names. 4.4.3 checking wildcard labels The restriction to match against only one subdomain seems to not be compatible with FRC 4592. RFC 4592 states: A wildcard domain name can have subdomains. There is no need to inspect the subdomains to see if there is another asterisk label in any subdomain. Further, I'm pretty sure that the rule of this draft is incompatible with many deployments of wildcard matching. I recall in Microsoft we allowed any number of subdomains when I was involved with the CAPI team. 4.6.2 States: In this case, the client MUSTverify that the presented certificate matches the cached certificate and (if it is an interactive client) MUST notify the user if the certificate has changed since the last time a secure connection was successfully negotiated How does the client know if the certificate has changed or whether it just obtained an unauthorized certificate? I guess in some cases it would work but I feel sure there are exception cases where the client just has a configured certificate but no knowledge of what it obtained the last time it talked to the server. /Stefan _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf