Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:02 PM 2002-02-08, Lawrence Greenfield wrote:
>On further thought, I'm actually fairly unhappy about this approach to
>constructing the name of the certificate needed.
>
>There are other uses of SRV records; let's say I have the IMAP
>protocol running, so I look up
>
>_imap._tcp.example.net.  IN  SRV 0 0 143 imap.example.net.
>
>If I then execute STARTTLS on this service, should I be expecting a
>certificate for "example.net"?

If the user asked for the service at "example.net", then
client should verify that the certificate is for "example.net".
That can be done in a number of ways.  The client can check
the that common name is example.net, check that the dNSname
field.  The LDAP locate specification should change that
or add to it additional ways of checking as this detailed in
RFC 2830.

However, LDAP locate spec should specify that if the client
asks for LDAP service holding CN=Kurt,DC=OpenLDAP,DC=ORG and
locate says that service is at ldap.openldap.org, the client
should check that the domain OpenLDAP.ORG is in the certificate
not ldap.openldap.org as this was provided via an insecure
source (DNS).

>Now all of the services for example.net share the same certificate,

Yes, the user is asking for "example.net" services in all cases!
It is presumed that services under a particular domain are under
the administrative control of the domain owner.

Kurt