additional security consideration for draft-ietf-ldapext-locate

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

There is an additional security consideration that I believe should be
added to draft-ietf-ldapext-locate-05.txt.

When using the LDAP with TLS via the STARTTLS extension a LDAP client
must check its idea of the server's name against the subject name in
the server's certificate, as described in section 3.6 of RFC 2830.
Regarding the name that the client uses to do the check:

   - The client MUST use the server hostname it used to open the LDAP
     connection as the value to compare against the server name as
     expressed in the server's certificate.  The client MUST NOT use the
     server's canonical DNS name or any other derived form of name.

The idea is that since DNS in particular is likely to be easily
spoofed, a client must not use a DNS-derived name to match against,
since it might be supplied by the attacker, and the client end up
talking "securely" to an impostor.

It is important to note, in the ldapext-locate document, that the SRV
record lookup is yet another insecure DNS lookup, so that the name the
client must check for (if it is using LDAP/TLS) is the name it started
with before the SRV lookup, ie the name it got via mapping the
original DN to a DNS name; since this point is important but somewhat
subtle.

So I offer the parargaph below, to be inserted between the current two
paragraphs in section 5 of draft-ietf-ldapext-locate-05.txt.

 - RL "Bob"

 ---

   When using LDAP with TLS the client must check the server's name,
   as described in section 3.6 of [RFC 2830].  As specified there, the
   name the client checks for is the server's name before any
   potentially insecure transformations, including the SRV record
   lookup specified in this memo.  Thus the name the client must check
   for is the name obtained by doing the mapping step defined in
   section 2 above.