authmeth-16 TLS issues

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

3.1. Sequencing of the StartTLS Operation

This header name seems poor, sections 3.1.* describe much more than
sequencing.  It's mostly 3.1.1 which talks about that - except that the
actions described in sections 3.1.* should be performed in the sequence
they occur in in the draft.


3.1.1. StartTLS Request
3.1.2. StartTLS Response

If last sentence of 3.1.2 is moved to [protocol] as I suggested in
thread "[Protocol] clarification on StartTLS resonse", maybe these two
sections should be merged.  There wouldn't be much left of 3.1.2, and
3.1.1 already talks a bit about the response anyway.


3.1.5. Server Identity Check

Why are the checks to perform ordered?  The order seems irrelevant
since there is no "fail and don't check anything else" step.

If the reason is that clients can derive a security factor or something
from which identity was used, please mention that.

But if so, I wonder a bit about CN vs. subjectAltName.  If the CN is an
exact match and the subjectAltName is either a wildcard match or matches
via a derived name, the CN would be a more reliable match and should be
done first.  Or...?


3.1.5.1. Comparison of DNS Names

> "If the reference identity is an internationalized domain name,
> conforming implementations MUST convert it to the ASCII Compatible
> Encoding (ACE) format as specified in section 4 of RFC 3490 [RFC3490]
> before comparison with subjectAltName values of type dNSName."

Only for subjectAltName:dNSName, not for CN?

If that's deliberate and certificate CNs may not contain
internationalized domain name, I suggest this is mentioned explicitly.

-- 
Hallvard