From: Patrik Fältström on Tuesday, 22 June 2010 4:54 PM:
See http://tools.ietf.org/html/draft-faltstrom-uri-04 (i.e. the draft
has expired a few months ago).
It seems that Section 7 has an old example in it. Did you previously use NAPTR
with a "D" flag?
For security considerations, I have one to add. RFC 3958 (S-NAPTR) has this
nasty little authentication hitch, that you should really consider in this
draft. The reference identifier (see draft-saintandre-tls-server-id-check)
that you are required to use for authenticating the host is the one that is
input to the resolution process...not the product of the process.
Basically, if you search for _http._web.example.net and get
"http://www.example.com/ ", then you are expected to authenticate against
_http._web.example.net (or maybe example.net, I'm not sure - NAPTR doesn't use
the '_' prefix).
I'm happy to expand on the problems that I faced with this little security
tangle. The problem doesn't end there.
Cheers,
Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf