On Wed, Sep 08, 2010 at 11:08:29PM +0200, Stefan Santesson wrote:
On 10-09-08 9:53 PM, "Shumon Huque" <shuque(_at_)isc(_dot_)upenn(_dot_)edu>
wrote:
The output of the SRV record lookup contains a target hostname,
not a service name, so it's not applicable to the SRVName name
form. The target could be used in another name form (dNSName)
as the reference identifier, but then the client needs to convince
itself that the lookup was done securely (DNSSEC or some other
means) otherwise there's a security problem.
I disagree,
A client can use the output from the DNS lookup also from a normal insecure
DNS server.
The only thing the client need to do is to verify that the domain name
provided in the input to the lookup matches the host names provided in the
output. It can then safely use the host names in the SRV record as reference
identifiers IF the SRV-ID in the server certificate matches the the
reference identifier.
This only works if the certificate matching rules say something
like "match the SRVName AND also match the DNS resolved target
hostname in dNSName". If a client attempts to match _only_ the DNS
resolved hostname without DNSSEC, there is a security problem.
The question is: what should the certificate matching rules say
when encountering a certificate with multiple identity types?
Right now the draft approximately says "find a match" (ie. find
ANY match), rather than match some logically AND'ed combination of
identity types.
http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4
--
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf