[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

To: Lawrence Greenfield <leg+@andrew.cmu.edu>
Subject: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Date: Fri, 8 Feb 2002 01:19:53 -0700 (MST)
Cc: IETF ldapext WG <ietf-ldapext@netscape.com>, <iesg@ietf.org>
In-reply-to: <200202061735.g16HZMm0016218@smtp5.andrew.cmu.edu>

On Wed, 6 Feb 2002, Lawrence Greenfield wrote:

>    Date: Wed, 6 Feb 2002 10:23:47 -0700 (MST)
>    From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
> [...]
>       When using LDAP with TLS the client must check the server's name,
>       as described in section 3.6 of [RFC 2830].  As specified there, the
>       name the client checks for is the server's name before any
>       potentially insecure transformations, including the SRV record
>       lookup specified in this memo.  Thus the name the client must check
>       for is the name obtained by doing the mapping step defined in
>       section 2 above.
>
>    which I think precisely addresses your concern.
>
> I read this paragraph and the draft several times, and I think, given
> the example "cn=John Doe,ou=accounting,dc=example,dc=net", the
> certificate presented by the server must have (as its cn attribute)
> "example.net.", including the trailing .
>
> Is this what's intended?  I suspect being explicit about the example
> for this would be useful.

I think you're suggesting adding the example to this paragraph, which I
agree is a good idea.  Proposed new text below.

Regarding the trailing ".", I would say that it is consistent with the
matching defined in section 3.6 of RFC 2830 to ignore the trailing ".", if
present, in either the input name or the name extracted from the cert.
That is, what really should be looked at when matching DNS names is the
labels, not the separators (is DNS matching specified somewhere?).  I will
suggest that we clarify this in the revision to RFC 2830 now being worked
on in ldapbis.

 - RL "Bob"

---

   When using LDAP with TLS the client must check the server's name,
   as described in section 3.6 of [RFC 2830].  As specified there, the
   name the client checks for is the server's name before any
   potentially insecure transformations, including the SRV record
   lookup specified in this memo.  Thus the name the client must check
   for is the name obtained by doing the mapping step defined in
   section 2 above.  For example, if the DN "cn=John
   Doe,ou=accounting,dc=example,dc=net" is converted to the DNS name
   "example.net.", the server's name must match "example.net.".

Follow-Ups:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: Lawrence Greenfield <leg+@andrew.cmu.edu>

References:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: Lawrence Greenfield <leg+@andrew.cmu.edu>

Prev by Date: [no subject]
Next by Date: Fwd: RE: DTCs against X.520 / 9594-6
Index(es):
- Chronological
- Thread