[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Can you please produce a new version of the document when the last call
period ends, and let me know when it is out?
paf
--On 2002-02-06 10.23 -0700 RL 'Bob' Morgan <rlmorgan@washington.edu> wrote:
>
> On Tue, 5 Feb 2002, Keith Moore wrote:
>
>> this from section 5:
>>
>> The client MUST use the server hostname it used to open the LDAP
>> connection as the value to compare against the server name as
>> expressed in the server's certificate. The client MUST NOT use the
>> server's canonical DNS name or any other derived form of name.
>
> Oops, this was a cut-n-paste error. The text above is actually straight
> out of RFC 2830. The actual text that was supposed to be in the locate
> document (as proposed by me in a message to the ldapext list 19 Mar 2001)
> is:
>
> When using LDAP with TLS the client must check the server's name,
> as described in section 3.6 of [RFC 2830]. As specified there, the
> name the client checks for is the server's name before any
> potentially insecure transformations, including the SRV record
> lookup specified in this memo. Thus the name the client must check
> for is the name obtained by doing the mapping step defined in
> section 2 above.
>
> which I think precisely addresses your concern.
>
> - RL "Bob"
>
>