[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is there anything in LDAP that works similar to HTTP's virtual hosting.



Rick van Rein wrote:
>> 1. If you're using TLS there's AFAIK no specification how to implement the TLS
>> hostname check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks.
> 
> IMHO, the hostname check is immaterial (and potentially confusing, when
> hosting multiple dc=,dc= trees)

Not sure I understand "immaterial". One would have to right a spec which maps the "name"
(here LDAP URL) used by the client to something stored in the TLS server cert.

Also note that subjectAltName extension can contain an URI.

> but DANE can be helpful by checking cert
> or key, regardless of naming information in the certificate,
> 
>     https://tools.ietf.org/html/rfc6698

I expected somebody to raise the DANE hype.

Note that DANE requires DNSSEC to be really secure. Also someone would have to write a
spec detailing how to map ldap:///dc=example,dc=com to DANE (DNS) name (just like a spec
is needed for TLS hostname check).

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature