[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Service name + host check [Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard]
"Kurt D. Zeilenga" writes:
> >"example.net" OR "ldap/example.net"
>
> How a client checks the certificate is defined in RFC 2830, not
> state that RFC 2830 provides the normative specification
> of the check algorithm, not this I-D).
>
> Service base certificate issue is NOT specific to LDAP
> Defining a service-base certificate check mechanism, if
> desired, should be drafted as an update to RFC 2830.
(If there is further discussion on this ... perhaps we should
continue it in ldapbis and not on the DNS SRV thread.)
This would be a useful thing... we already have some deployment
with this kind of naming (cn=ldap/foobar.lbl.gov).
I assume this would mod
draft-ietf-ldapbis-authmeth-xx?
pkix gives me the impression of not liking subject names that
don't fit naturally in the directory, don't represent a real
object, and/or introduce some other hierarchical structure at
a point intermediate in the tree. (cf the history of e=mike@foo.lbl.gov"
in subject names). I think Microsoft has been putting kerberos
principal names in subjectaltname ... I don't have one I can
get at to check at the moment. So is this kind of naming viable?
Michael Helm
ESnet/LBL