Re: Last Call: Discovering LDAP Services with DNS to Proposed Standard

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:46 PM 2002-02-22, Lawrence Greenfield wrote:
>   Date: Fri, 22 Feb 2002 16:13:26 -0800 (PST)
>   From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
>[...]
>   Larry makes an excellent point, that it would be better for the service
>   name to be not just the name of the host but the name of the host
>   qualified by (at least) the name of the protocol/service in question, in
>   this case "ldap".  As Paul notes there is well-established practice for
>   this in Kerberos (service principals like "ldap/example.net") and GSSAPI
>   ("ldap@example.net").  Unfortunately there is (to my knowledge) zero
>   existing practice for this in the X.509 certificate world, either in
>   commercially-sold certs or home-minted certs.
>
>One last attempt:
>
>perhaps we should include text that a client should except either
>
>"example.net"  OR  "ldap/example.net"

How a client checks the certificate is defined in RFC 2830, not
this I-D.  This I-D defined how to map a DN to a hostname and
how to obtain SRV RRs for that hostname for LDAP location.
This I-D should make it very clear this (e.g., it needs to
state that RFC 2830 provides the normative specification
of the check algorithm, not this I-D).

Service base certificate issue is NOT specific to LDAP
location (DN->hostname,hostname->SRV), it would apply to
SRVless connections to "example.net" with TLS.

Defining a service-base certificate check mechanism, if
desired, should be drafted as an update to RFC 2830.