Re: authmeth-16 TLS issues

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Roger Harrison writes:
> You've persuaded me to rethink my approach to the server identity
> check section.  I've made some adjustments to remove the
> ordering. Here's my proposed replacement for rules 1-3 in the -16
> draft:

Looks good, except for a few wording nitpicks.  (Haven't had time to
check it against other recent authmeth comments though.)

> The client determines the type (e.g. DNS name or IP address) of the
> reference identity and performs a comparison between the reference
> identity and each subjectAltName value of the corresponding type until
> a match is produced.  Once a match is produced, the server's identity
> is verified and the server identity check is complete.

s/is verified/has been verified/.

(It needs a different tense from the surrounding text, so it
doesn't look like something else the client should do.)


> The server's identity may also be verified by comparing the reference
> identity to the Common Name value of the least significant RDN of the
> subjectName field of the server's certificate.  Note that the TLS
> implementation may display DNs in certificates according to X.509's
> rules rather than LDAP's rules.  For example, RDNs in a DN may be
> ordered left-to-right instead of right-to-left.

I still think "the RDN" is clearer than "the least significant RDN",
since I'm not used to the term "least significant" with this meaning for
non-numbers.  That goes poorly with the last sentence of the "RDNs" in
the DN though.  s/RDNs/components/ in last sentence would allow for it,
but I'm not quite sure that's an improvement.

-- 
Hallvard