ietf
[Top] [All Lists]

Re: [certid] Review of draft-saintandre-tls-server-id-check

2010-09-13 12:03:51

On Sep 13, 2010, at 12:18 PM, Peter Saint-Andre wrote:

On 9/9/10 1:36 PM, Stefan Santesson wrote:



On 10-09-09 8:38 PM, "Shumon Huque" <shuque(_at_)isc(_dot_)upenn(_dot_)edu> 
wrote:

Earlier in RFC 4985, it says:

  The SRVName, if present, MUST contain a service name and a domain
  name in the following form:

     _Service.Name

  The content of the components of this name form MUST be consistent
  with the corresponding definition of these components in an SRV RR
  according to RFC 2782

I think this was actually clear enough. The subsequent statement that Name is "The DNS domain name of the domain where the specified service is located." (which could mean any of a number of things) confused the
issue, and probably should not have been in the document.


Agreed, but since it will be an errata, the text must be corrected.

Do you agree with my proposal?

   "The DNS domain name of a domain for which the certified subject
    is authorized to provide the identified service."

Authorized by whom? I *think* that here the DNS domain name is one that the certified subject has itself authorized (perhaps even "established"
is better) to provide the desired service. Therefore I suggest an
alternative wording:

    "A DNS domain name which the certified subject has
     authorized to provide the identified service."

Peter

I don't think that's right either, since it's the *issuer* of the cert that's making the assertion. Maybe something like the following:
"
A DNS domain name for which the issuer authorizes the subject to provide the indicated service.
"
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf