[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: draft-ietf-ldapext-ldapv3-tls-03.txt

To: "'Jeff.Hodges@stanford.edu'" <Jeff.Hodges@stanford.edu>
Subject: FW: draft-ietf-ldapext-ldapv3-tls-03.txt
From: Paul Leach <paulle@microsoft.com>
Date: Mon, 02 Nov 1998 14:23:34 -0800
Cc: "'ietf-ldapext@netscape.com'" <ietf-ldapext@netscape.com>
Resent-date: Mon, 02 Nov 1998 14:23:56 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"SA1GZ.0.V65.v3ZFs"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> section 4.6 of the draft contains
> 
>    - The client MUST use the server hostname it used to open
>      the LDAP connection as the value to compare against the
>      server name as expressed in the server's certificate.
>      The client MUST NOT use the server's canonical DNS name or
>      any other derived form of name.
> 
This isn't clear to me in the following cases: What if a CNAME was
encountered in the name resolution process? What if SRV records were used in
the name resolution process. I believe that the correct answer is that the
name to be checked against the certificate is the one used to start the name
resolution process, not any intermediate results (because DNS is not
typically secure). However, the names of CNAME and SRV records aren't
typically called "hostnames".

How about calling the name used to open the LDAP connection the "target
name" or something in order to avoid this confusion? And maybe words about
CNAME and SRV records (and MX too, if it is possible that this model would
be used in a mail delivery protocol context) to clarify even further?

Paul

Prev by Date: Are You In Need Of A Lifestyle Change... ? -98550
Next by Date: Are You In Need Of A Lifestyle Change... ? -91656
Index(es):
- Chronological
- Thread