[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

To: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Subject: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
From: Lawrence Greenfield <leg+@andrew.cmu.edu>
Date: Fri, 8 Feb 2002 15:02:18 -0500
Cc: IETF ldapext WG <ietf-ldapext@netscape.com>, iesg@ietf.org
In-reply-to: <Pine.LNX.4.40.0202080908190.22625-100000@perx.cac.washington.edu>
References: <Pine.LNX.4.40.0202080908190.22625-100000@perx.cac.washington.edu>

On further thought, I'm actually fairly unhappy about this approach to
constructing the name of the certificate needed.

There are other uses of SRV records; let's say I have the IMAP
protocol running, so I look up

_imap._tcp.example.net.  IN  SRV 0 0 143 imap.example.net.

If I then execute STARTTLS on this service, should I be expecting a
certificate for "example.net"?

Now all of the services for example.net share the same certificate,
even though administratively IMAP and LDAP might be in two seperate
groups/organizations/whatever and should have no business being able
to spoof each other.  Delegating one service to a subgroup shouldn't
compromise every other service for a domain.

Larry

Follow-Ups:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

References:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

Prev by Date: Over 250 MILLION Email Addresses for Sale from US$2 up
Next by Date: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Index(es):
- Chronological
- Thread