[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Date: Wed, 6 Feb 2002 10:23:47 -0700 (MST)
From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
[...]
When using LDAP with TLS the client must check the server's name,
as described in section 3.6 of [RFC 2830]. As specified there, the
name the client checks for is the server's name before any
potentially insecure transformations, including the SRV record
lookup specified in this memo. Thus the name the client must check
for is the name obtained by doing the mapping step defined in
section 2 above.
which I think precisely addresses your concern.
I read this paragraph and the draft several times, and I think, given
the example "cn=John Doe,ou=accounting,dc=example,dc=net", the
certificate presented by the server must have (as its cn attribute)
"example.net.", including the trailing .
Is this what's intended? I suspect being explicit about the example
for this would be useful.
Larry