[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
Date: Fri, 22 Feb 2002 16:13:26 -0800 (PST)
From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
[...]
Larry makes an excellent point, that it would be better for the service
name to be not just the name of the host but the name of the host
qualified by (at least) the name of the protocol/service in question, in
this case "ldap". As Paul notes there is well-established practice for
this in Kerberos (service principals like "ldap/example.net") and GSSAPI
("ldap@example.net"). Unfortunately there is (to my knowledge) zero
existing practice for this in the X.509 certificate world, either in
commercially-sold certs or home-minted certs.
One last attempt:
perhaps we should include text that a client should except either
"example.net" OR "ldap/example.net"
This allows us to migrate to service based certificates. If it
catches on in other protocols (especially with SRV records) great. If
not, clients aren't vulnerable to any new attacks and nothing is lost.
Larry