Peter,
On 10-09-13 6:08 PM, "Peter Saint-Andre" <stpeter(_at_)stpeter(_dot_)im> wrote:
Hi Shumon,
As I see it, this I-D is attempting to capture best current practices
regarding the issuance and checking of certificates containing
application server identities. Do we have evidence that any existing
certification authorities issue certificates containing both an SRVname
for the source domain (e.g., example.com) and dNSName for the target
domain (e.g., apphosting.example.net)? Do we have evidence that any
existing application clients perform such checks? If not, I would
consider such complications to be out of scope for this I-D.
That said, we need to be aware that if such usage arises in the future,
someone might write a document that updates or obsoletes this I-D; in
fact the present authors very much expect that such documents will
emerge after the Internet community (specifically certification
authorities, application service providers, and application client
developers) have gained more experience with PKIX certificates in the
context of various application technologies.
Peter
I would like to turn the question around and ask why this specification need
to have an opinion on whether a relying party feels he have to check both
host name and service?
I'm not against describing the typical case, as long as this specification
does not imply that a relying party that has a reason to check two name
types is doing something wrong.
I have no extremely good examples of practical implementation here but
checking both host name and service seems like both extremely easy and good
practice.
/Stefan
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf