|
There is an outstanding work item, G.25, in authmeth-05 regarding the use of derived forms of the server's name when performing a the server identity check while processing a StartTLS request. Currently, the wording of section 4.1.6 says:
"The client MUST use the server hostname it used to open the LDAP connection as the value to compare against the server name as expressed in the server's certificate. The client MUST NOT use any other derived form of name including the server's canonical DNS name."
According to my notes, Bob Morgan offered to provide some wording that would relax this restriction to allow usage of derivations of the server name that are provided securely. If Bob or some other knowledgeable member of the WG would help me with the proper wording or some information about what is acceptable, I will make the needed changes and close out the work item.'
Thanks,
Roger |