[Date Prev][Date Next]
Re: authmeth-14 notes
On Sun, 6 Mar 2005, Hallvard B Furuseth wrote:
3.1.6. Server Identity Check
Matching is performed according to these rules:
Can someone remind me why this is specified here instead of in [TLS]?
It doesn't look LDAP-specific. I can't find the answer in the archive.
TLS regards this as application-specific, and indeed applications do vary.
TLS for SMTP says almost nothing about server name checking, for example.
You could certainly make a case that there should be a standard
name-matching procedure including wildcard processing that multiple app
protocols could refer to, to avoid duplication and needless difference
between app protocols. Unfortunately no one has done this, perhaps
because it's rather hard to coordinate among all the apps and specs that
profile TLS. A generic "Application Protocol Use of TLS" doc might
include other stuff too like recommending a STARTTLS command instead of
separate-port, effects of mid-stream TLS state changes on app protocol
state, insecure cipher suite warnings, etc. I suspect at this point we
don't want to rip all this stuff out of authmeth, write a new doc, confer
with other WGs (IMAP, SMTP, BEEP, etc) for agreement, etc. Could well be
the right approach for the next iteration after this one, though.
- RL "Bob"