[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Date: Fri, 08 Feb 2002 12:25:42 -0800
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
[...]
However, LDAP locate spec should specify that if the client
asks for LDAP service holding CN=Kurt,DC=OpenLDAP,DC=ORG and
locate says that service is at ldap.openldap.org, the client
should check that the domain OpenLDAP.ORG is in the certificate
not ldap.openldap.org as this was provided via an insecure
source (DNS).
Obviously it cannot be provided by DNS.
>Now all of the services for example.net share the same certificate,
Yes, the user is asking for "example.net" services in all cases!
It is presumed that services under a particular domain are under
the administrative control of the domain owner.
That's unfortunate. Large organizations exist. Compromising a single
service shouldn't compromise all services for a domain.
Larry