Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

[Keith Moore <moore@cs.utk.edu>]

this from section 5:

   The client MUST use the server hostname it used to open the LDAP
   connection as the value to compare against the server name as
   expressed in the server's certificate.  The client MUST NOT use the
   server's canonical DNS name or any other derived form of name.

First, the use of "canonical DNS name" in the second sentence is 
misleading.   

I think what the authors are trying to say is that when client
compares names on server certificates it MUST NOT substitute
a DNS name obtained from a DNS CNAME resource record for the
DNS name obtained from the SRV record(s) corresponding to the
DNS name derived from the DN-to-DNS conversion in section 2.
But there's no reason to forbid use of a host's canonical name, 
only to forbid use of the result of CNAME lookups.

But I think there's a bigger problem here.  The DNS name in the
server cert (which is IIRC itself encoded as a DN?) needs to match 
the DNS name obtained from the DN-to-DNS mapping algorithm in
section 2, NOT the server name returned from the SRV lookup.

(and especially NOT the DNS name beginning with "_ldap." that was
used to look up the SRV record..)

Otherwise you have the same problem - since SRV records can be
spoofed as easily as CNAME records.

Keith