Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

[Patrik Fältström <paf@cisco.com>]

Can you please produce a new version of the document when the last call
period ends, and let me know when it is out?

  paf

--On 2002-02-06 10.23 -0700 RL 'Bob' Morgan <rlmorgan@washington.edu> wrote:

> 
> On Tue, 5 Feb 2002, Keith Moore wrote:
> 
>> this from section 5:
>> 
>>    The client MUST use the server hostname it used to open the LDAP
>>    connection as the value to compare against the server name as
>>    expressed in the server's certificate.  The client MUST NOT use the
>>    server's canonical DNS name or any other derived form of name.
> 
> Oops, this was a cut-n-paste error.  The text above is actually straight
> out of RFC 2830.  The actual text that was supposed to be in the locate
> document (as proposed by me in a message to the ldapext list 19 Mar 2001)
> is:
> 
>    When using LDAP with TLS the client must check the server's name,
>    as described in section 3.6 of [RFC 2830].  As specified there, the
>    name the client checks for is the server's name before any
>    potentially insecure transformations, including the SRV record
>    lookup specified in this memo.  Thus the name the client must check
>    for is the name obtained by doing the mapping step defined in
>    section 2 above.
> 
> which I think precisely addresses your concern.
> 
>  - RL "Bob"
> 
>