> -----Original Message----- > From: Lawrence Greenfield [mailto:leg+@andrew.cmu.edu] > Sent: Wednesday, February 06, 2002 17:35 > To: RL 'Bob' Morgan > Cc: IETF ldapext WG; iesg@ietf.org > Subject: Re: Last Call: Discovering LDAP Services with DNS to > Proposed Standard > > > Date: Wed, 6 Feb 2002 10:23:47 -0700 (MST) > From: "RL 'Bob' Morgan" <rlmorgan@washington.edu> > [...] > When using LDAP with TLS the client must check the > server's name, > as described in section 3.6 of [RFC 2830]. As > specified there, the > name the client checks for is the server's name before any > potentially insecure transformations, including the SRV record > lookup specified in this memo. Thus the name the > client must check > for is the name obtained by doing the mapping step defined in > section 2 above. > > which I think precisely addresses your concern. > > I read this paragraph and the draft several times, and I > think, given the example "cn=John > Doe,ou=accounting,dc=example,dc=net", the certificate > presented by the server must have (as its cn attribute) > "example.net.", including the trailing . Someone should check, because IIRC, the certs issued by the ususal suspects do not have the final "." in them. E.g.,, a typical Verisign server cert for "example.net" would have exactly that as the CN, no trailing ".". > > Is this what's intended? I suspect being explicit about the > example for this would be useful. I agree. > > Larry > > > > >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature