On 10-09-13 7:03 PM, "Shumon Huque" <shuque(_at_)isc(_dot_)upenn(_dot_)edu>
Authorized by whom? I *think* that here the DNS domain name is one that
the certified subject has itself authorized (perhaps even "established"
is better) to provide the desired service. Therefore I suggest an
"A DNS domain name which the certified subject has
authorized to provide the identified service."
I don't think the term "authorized" makes the situation any
Let's take a concrete example: an IMAP client attempting to
connect to and use the IMAP service at "example.com".
It needs to lookup the "_imap._tcp.example.com." DNS SRV record
to figure out which servers and ports to connect to.
And in the presented certificate, it needs to expect to find an
SRVName identifier with "_imap.example.com" as its contents,
where the _Service and Name components were the same ones it used
in the SRV query.
There is no need to figure out who authorized what.
I agree here. Both to this and to former speakers stating that the assertion
is made by the CA and no the subject.
I'm struggling with the most easy to understand text, but I think this says
at least the correct thing:
"A DNS domain name, representing a domain for which the certificate
issuer has asserted that the certified subject is a legitimate
provider of the identified service."
Ietf mailing list