That's the best we can do today with certs, unless the issuing companies figure this problem out. With Kerberos, one would look for the moral equivalent of a cerificate that contained "imap/example.net" -- i.e., the "imap" service for the domain "example.net". > -----Original Message----- > From: Lawrence Greenfield [mailto:leg+@andrew.cmu.edu] > Sent: Friday, February 08, 2002 20:02 > To: RL 'Bob' Morgan > Cc: IETF ldapext WG; iesg@ietf.org > Subject: Re: Last Call: Discovering LDAP Services with DNS to > Proposed Standard > > > On further thought, I'm actually fairly unhappy about this > approach to constructing the name of the certificate needed. > > There are other uses of SRV records; let's say I have the > IMAP protocol running, so I look up > > _imap._tcp.example.net. IN SRV 0 0 143 imap.example.net. > > If I then execute STARTTLS on this service, should I be > expecting a certificate for "example.net"? > > Now all of the services for example.net share the same > certificate, even though administratively IMAP and LDAP might > be in two seperate groups/organizations/whatever and should > have no business being able to spoof each other. Delegating > one service to a subgroup shouldn't compromise every other > service for a domain. > > Larry > >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature