[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

To: IETF ldapext WG <ietf-ldapext@netscape.com>, "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Subject: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
From: Lawrence Greenfield <leg+@andrew.cmu.edu>
Date: Fri, 22 Feb 2002 19:46:33 -0500
In-reply-to: <Pine.LNX.4.40.0202221553360.10563-100000@perx.cac.washington.edu>
References: <Pine.LNX.4.40.0202221553360.10563-100000@perx.cac.washington.edu>

   Date: Fri, 22 Feb 2002 16:13:26 -0800 (PST)
   From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
[...]
   Larry makes an excellent point, that it would be better for the service
   name to be not just the name of the host but the name of the host
   qualified by (at least) the name of the protocol/service in question, in
   this case "ldap".  As Paul notes there is well-established practice for
   this in Kerberos (service principals like "ldap/example.net") and GSSAPI
   ("ldap@example.net").  Unfortunately there is (to my knowledge) zero
   existing practice for this in the X.509 certificate world, either in
   commercially-sold certs or home-minted certs.

One last attempt:

perhaps we should include text that a client should except either

"example.net"  OR  "ldap/example.net"

This allows us to migrate to service based certificates.  If it
catches on in other protocols (especially with SRV records) great.  If
not, clients aren't vulnerable to any new attacks and nothing is lost.

Larry

Follow-Ups:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

Prev by Date: Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Next by Date: [광고]사브 컨버터블 5,450원, 캠코더 1,000원, Fendi핸드백 8,650원에 장만하실 수 있습니다
Index(es):
- Chronological
- Thread