Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

[Lawrence Greenfield <leg+@andrew.cmu.edu>]

   Date: Fri, 08 Feb 2002 12:25:42 -0800
   From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
[...]
   However, LDAP locate spec should specify that if the client
   asks for LDAP service holding CN=Kurt,DC=OpenLDAP,DC=ORG and
   locate says that service is at ldap.openldap.org, the client
   should check that the domain OpenLDAP.ORG is in the certificate
   not ldap.openldap.org as this was provided via an insecure
   source (DNS).

Obviously it cannot be provided by DNS.

   >Now all of the services for example.net share the same certificate,

   Yes, the user is asking for "example.net" services in all cases!
   It is presumed that services under a particular domain are under
   the administrative control of the domain owner.

That's unfortunate.  Large organizations exist.  Compromising a single
service shouldn't compromise all services for a domain.

Larry