ietf
[Top] [All Lists]

Re: Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard

2010-07-17 22:29:28
On Thu, Jul 15, 2010 at 04:29:07PM -0700, Paul Hoffman wrote:
At 4:08 PM -0700 7/15/10, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:

- 'Representation and Verification of Domain-Based Application Service
  Identity in Certificates Used with Transport Layer Security '
  <draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard


The middle of Section 4.2 says:
   The client then orders the list in accordance with the following
   rules:
Then, in 4.3, it checks each reference in this ordered list until
it (hopefully) finds a match. Given that it is going to do an
exhaustive search, what is the purpose of ordering?

Not sure I'm following your question, but the purpose of ordering
is to look for the subject identities in preference order (SRV/URI,
before dNSName, before Common Name etc). Once a match is found,
the search is aborted; an exhaustive search is only performed if
the matched identity is the last one or there is no match. Section
4.3 has:

   It does so by seeking a match in preference order
   and aborting the search if any presented identifier matches one of
   its reference identifiers.  The search fails if the client exhausts
   its list of reference identifiers without finding a match.

-- 
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>