[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

To: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Subject: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
From: Lawrence Greenfield <leg+@andrew.cmu.edu>
Date: Wed, 6 Feb 2002 12:35:22 -0500
Cc: IETF ldapext WG <ietf-ldapext@netscape.com>, iesg@ietf.org
In-reply-to: <Pine.LNX.4.40.0202061014340.14867-100000@perx.cac.washington.edu>
References: <Pine.LNX.4.40.0202061014340.14867-100000@perx.cac.washington.edu>

   Date: Wed, 6 Feb 2002 10:23:47 -0700 (MST)
   From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
[...]
      When using LDAP with TLS the client must check the server's name,
      as described in section 3.6 of [RFC 2830].  As specified there, the
      name the client checks for is the server's name before any
      potentially insecure transformations, including the SRV record
      lookup specified in this memo.  Thus the name the client must check
      for is the name obtained by doing the mapping step defined in
      section 2 above.

   which I think precisely addresses your concern.

I read this paragraph and the draft several times, and I think, given
the example "cn=John Doe,ou=accounting,dc=example,dc=net", the
certificate presented by the server must have (as its cn attribute)
"example.net.", including the trailing .

Is this what's intended?  I suspect being explicit about the example
for this would be useful.

Larry

Follow-Ups:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

References:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

Prev by Date: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Next by Date: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Index(es):
- Chronological
- Thread