[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
On Fri, 8 Feb 2002, Lawrence Greenfield wrote:
> Date: Fri, 8 Feb 2002 01:19:53 -0700 (MST)
> From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
> [...]
> Regarding the trailing ".", I would say that it is consistent with the
> matching defined in section 3.6 of RFC 2830 to ignore the trailing ".", if
> present, in either the input name or the name extracted from the cert.
> That is, what really should be looked at when matching DNS names is the
> labels, not the separators (is DNS matching specified somewhere?). I will
> suggest that we clarify this in the revision to RFC 2830 now being worked
> on in ldapbis.
>
> Does any other uses of TLS allow for trailing dots or no? It seems
> easier just to remove the trailing dot in this specification instead
> of revising RFC 2830. Reading 2830, I would expect the server
> certificate to contain the trailing dot if the user entered it, and
> not contain it if the user didn't.
But the presence of a trailing dot is always possible in the name supplied
by the user, which is what any TLS implementation for any protocol should
match against (if it's doing matching at all). We can't legislate that
out of existence.
Ayee! I just tried connecting to
https://www.washington.edu./
with several browsers (Mozilla 0.9.8 on Linux, Netscape 4.78 on Linux, IE5
on Mac, Netscape 6 on Mac) and all of them gave "name mismatch" errors.
Obviously they're just doing a string compare, which it seems to me is
just broken. Feh.
> Couldn't we just modify the paragraph to "the name obtained by doing
> the mapping step defined in section 2 with the trailing dot removed" ?
Well, we could avoid the whole issue by just leaving the trailing dots out
of the examples. I'm not sure why they're written that way, I think it
may be that an early version of the mapping algorithm said to start with a
".". This is clearly a swamp, and not one that will be fixed by this
document.
- RL "Bob"