On Mon, Sep 13, 2010 at 10:18:00AM -0600, Peter Saint-Andre wrote:
On 9/9/10 1:36 PM, Stefan Santesson wrote:
On 10-09-09 8:38 PM, "Shumon Huque" <shuque(_at_)isc(_dot_)upenn(_dot_)edu>
wrote:
Earlier in RFC 4985, it says:
The SRVName, if present, MUST contain a service name and a domain
name in the following form:
_Service.Name
The content of the components of this name form MUST be consistent
with the corresponding definition of these components in an SRV RR
according to RFC 2782
I think this was actually clear enough. The subsequent statement that
Name is "The DNS domain name of the domain where the specified service
is located." (which could mean any of a number of things) confused the
issue, and probably should not have been in the document.
Agreed, but since it will be an errata, the text must be corrected.
Do you agree with my proposal?
"The DNS domain name of a domain for which the certified subject
is authorized to provide the identified service."
Authorized by whom? I *think* that here the DNS domain name is one that
the certified subject has itself authorized (perhaps even "established"
is better) to provide the desired service. Therefore I suggest an
alternative wording:
"A DNS domain name which the certified subject has
authorized to provide the identified service."
Peter
I don't think the term "authorized" makes the situation any
clearer.
Let's take a concrete example: an IMAP client attempting to
connect to and use the IMAP service at "example.com".
It needs to lookup the "_imap._tcp.example.com." DNS SRV record
to figure out which servers and ports to connect to.
And in the presented certificate, it needs to expect to find an
SRVName identifier with "_imap.example.com" as its contents,
where the _Service and Name components were the same ones it used
in the SRV query.
There is no need to figure out who authorized what.
--
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf