Peter,
I'm not sure if this one is already on your list or not, but I
didn't see it addressed in -08:
I don't think the characterization of SRV-ID as an "indirect"
(ie. DNS resolved) identifier is correct.
Whether a subject name is indirect or not, depends on the content
of the identifier field and how that content was obtained, rather
than on the identifier type itself.
In most cases, indirect identifiers will be found in DNS-ID or CN-ID,
as a result of DNS resolution of SRV, CNAME, or other records. If an
application is trying to authenticate such identities, then the
document needs to clearly state under what conditions it is safe to
do so (DNSSEC, or a static mapping rule in the client). The document
does touch on safe derivation rules later (currently in 4.2). But the
direct/indirect classification of identity types needs to be
corrected (or just eliminated).
I said some more here:
http://www.ietf.org/mail-archive/web/certid/current/msg00220.html
--
Shumon Huque
University of Pennsylvania.
On Fri, Jul 23, 2010 at 09:25:43AM -0600, Peter Saint-Andre wrote:
Sorry, I haven't yet had a chance to review the feedback that's been
provided during this Last Call. I'll do that en route to Maastricht
today. Next week Jeff and I will discuss in person the points that have
been raised, and then we'll post further regarding our proposed changes
to the spec.
Peter
On 7/15/10 5:08 PM, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:
- 'Representation and Verification of Domain-Based Application Service
Identity in Certificates Used with Transport Layer Security '
<draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2010-08-12. Exceptionally,
comments may be sent to iesg(_at_)ietf(_dot_)org instead. In either case,
please
retain the beginning of the Subject line to allow automated sorting.
The file can be obtained via
http://www.ietf.org/internet-drafts/draft-saintandre-tls-server-id-check-08.txt
IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=18634&rfc_flag=0
_______________________________________________
IETF-Announce mailing list
IETF-Announce(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-announce
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf