[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard
At 04:46 PM 2002-02-22, Lawrence Greenfield wrote:
> Date: Fri, 22 Feb 2002 16:13:26 -0800 (PST)
> From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
>[...]
> Larry makes an excellent point, that it would be better for the service
> name to be not just the name of the host but the name of the host
> qualified by (at least) the name of the protocol/service in question, in
> this case "ldap". As Paul notes there is well-established practice for
> this in Kerberos (service principals like "ldap/example.net") and GSSAPI
> ("ldap@example.net"). Unfortunately there is (to my knowledge) zero
> existing practice for this in the X.509 certificate world, either in
> commercially-sold certs or home-minted certs.
>
>One last attempt:
>
>perhaps we should include text that a client should except either
>
>"example.net" OR "ldap/example.net"
How a client checks the certificate is defined in RFC 2830, not
this I-D. This I-D defined how to map a DN to a hostname and
how to obtain SRV RRs for that hostname for LDAP location.
This I-D should make it very clear this (e.g., it needs to
state that RFC 2830 provides the normative specification
of the check algorithm, not this I-D).
Service base certificate issue is NOT specific to LDAP
location (DN->hostname,hostname->SRV), it would apply to
SRVless connections to "example.net" with TLS.
Defining a service-base certificate check mechanism, if
desired, should be drafted as an update to RFC 2830.