On 23 jun 2010, at 16.33, Richard L. Barnes wrote:
In principle, example.com is the proper domain to authenticate, but in
practice, that causes a lot of problems. Consider the case where the target
of the redirection is a separate entity from the origin; this could arise,
for example, in a situation whereexample.com has outsourced its calendaring
services to calendardserverfoobar.com.
So, the "connect the dots" is to:
- Announce the fact example.com is hosted at calendarserverfoobar.com (with
some URL) in DNS
- Secure that announcement in DNS with DNSSEC
- Verify the SSL (for example) cert for the connection to
calendarserverfoobar.com matches
- Do application layer authentication etc over the then encrypted connection
Sounds ok?
Patrik
PGP.sig
Description: This is a digitally signed message part
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf