[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth-16 TLS issues
Roger Harrison writes:
> You've persuaded me to rethink my approach to the server identity
> check section. I've made some adjustments to remove the
> ordering. Here's my proposed replacement for rules 1-3 in the -16
> draft:
Looks good, except for a few wording nitpicks. (Haven't had time to
check it against other recent authmeth comments though.)
> The client determines the type (e.g. DNS name or IP address) of the
> reference identity and performs a comparison between the reference
> identity and each subjectAltName value of the corresponding type until
> a match is produced. Once a match is produced, the server's identity
> is verified and the server identity check is complete.
s/is verified/has been verified/.
(It needs a different tense from the surrounding text, so it
doesn't look like something else the client should do.)
> The server's identity may also be verified by comparing the reference
> identity to the Common Name value of the least significant RDN of the
> subjectName field of the server's certificate. Note that the TLS
> implementation may display DNs in certificates according to X.509's
> rules rather than LDAP's rules. For example, RDNs in a DN may be
> ordered left-to-right instead of right-to-left.
I still think "the RDN" is clearer than "the least significant RDN",
since I'm not used to the term "least significant" with this meaning for
non-numbers. That goes poorly with the last sentence of the "RDNs" in
the DN though. s/RDNs/components/ in last sentence would allow for it,
but I'm not quite sure that's an improvement.
--
Hallvard