insight here?
Thanks,
Roger
>>> Michael Ströder <michael@stroeder.com> 6/29/2003 6:44:54 AM >>>
Roger Harrison wrote:
> There is an outstanding work item, G.25, in authmeth-05 regarding
> the use of derived forms of the server's name when performing a the
> server identity check while processing a StartTLS request. Currently,
> the wording of section 4.1.6 says:
>
> "The client MUST use the server hostname it used to open the LDAP
> connection as the value to compare against the server name as expressed
> in the server's certificate. The client MUST NOT use any other derived
> form of name including the server's canonical DNS name."
>
> According to my notes, Bob Morgan offered to provide some wording that
> would relax this restriction to allow usage of derivations of the server
> name that are provided securely. If Bob or some other knowledgeable
> member of the WG would help me with the proper wording or some
> information about what is acceptable, I will make the needed changes and
> close out the work item.'
Could you please give some examples of "derivations of the server
name that are provided securely"? Is this about using host names in X.509v3
subjectAltName extension? I'm rather scared about relaxing this since I
suspect that unsecure DNS is used to get the derivation of the server name.
Ciao, Michael.