ietf
[Top] [All Lists]

Re: [certid] Review of draft-saintandre-tls-server-id-check

2010-09-13 13:50:53
On 9/13/10 11:59 AM, Stefan Santesson wrote:


On 10-09-13 7:03 PM, "Shumon Huque" <shuque(_at_)isc(_dot_)upenn(_dot_)edu> 
wrote:

Authorized by whom? I *think* that here the DNS domain name is one that
the certified subject has itself authorized (perhaps even "established"
is better) to provide the desired service. Therefore I suggest an
alternative wording:

     "A DNS domain name which the certified subject has
      authorized to provide the identified service."

Peter

I don't think the term "authorized" makes the situation any
clearer.

Let's take a concrete example: an IMAP client attempting to
connect to and use the IMAP service at "example.com".

It needs to lookup the "_imap._tcp.example.com." DNS SRV record
to figure out which servers and ports to connect to.

And in the presented certificate, it needs to expect to find an
SRVName identifier with "_imap.example.com" as its contents,
where the _Service and Name components were the same ones it used
in the SRV query.

There is no need to figure out who authorized what.

I agree here. Both to this and to former speakers stating that the assertion
is made by the CA and no the subject.

I'm struggling with the most easy to understand text, but I think this says
at least the correct thing:

      "A DNS domain name, representing a domain for which the certificate
       issuer has asserted that the certified subject is a legitimate
       provider of the identified service."

+1


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf