[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth-14 notes

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: authmeth-14 notes
From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Date: Mon, 7 Mar 2005 00:31:15 -0600 (CST)
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <hbf.20050306xwhh@bombur.uio.no>
References: <hbf.20050306xwhh@bombur.uio.no>


On Sun, 6 Mar 2005, Hallvard B Furuseth wrote:

3.1.6. Server Identity Check

Matching is performed according to these rules:
Can someone remind me why this is specified here instead of in [TLS]?
It doesn't look LDAP-specific.  I can't find the answer in the archive.

TLS regards this as application-specific, and indeed applications do vary. TLS for SMTP says almost nothing about server name checking, for example.

You could certainly make a case that there should be a standard name-matching procedure including wildcard processing that multiple app protocols could refer to, to avoid duplication and needless difference between app protocols. Unfortunately no one has done this, perhaps because it's rather hard to coordinate among all the apps and specs that profile TLS. A generic "Application Protocol Use of TLS" doc might include other stuff too like recommending a STARTTLS command instead of separate-port, effects of mid-stream TLS state changes on app protocol state, insecure cipher suite warnings, etc. I suspect at this point we don't want to rip all this stuff out of authmeth, write a new doc, confer with other WGs (IMAP, SMTP, BEEP, etc) for agreement, etc. Could well be the right approach for the next iteration after this one, though.

 - RL "Bob"

Follow-Ups:
- Re: authmeth-14 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- subjectAltName vs. CN in certificates
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- authmeth-14 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: syntaxes-10 notes
Next by Date: Re: syntaxes-10 notes
Index(es):
- Chronological
- Thread