IETF Logo Mail Archive

Re: [certid] What DNS-ID if also using a DNS-SRV?

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 30 June 2010 18:18 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 316173A6ADE for <certid@core3.amsl.com>; Wed, 30 Jun 2010 11:18:06 -0700 (PDT)
X-Quarantine-ID: <eN90wr6QLr87>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char F6 hex): To: Love H\366rnquist \305strand[...]
X-Spam-Flag: NO
X-Spam-Score: 0.804
X-Spam-Level:
X-Spam-Status: No, score=0.804 tagged_above=-999 required=5 tests=[AWL=-0.050, BAYES_50=0.001, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eN90wr6QLr87 for <certid@core3.amsl.com>; Wed, 30 Jun 2010 11:18:04 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id B3AD23A6ADD for <certid@ietf.org>; Wed, 30 Jun 2010 11:18:03 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o5UIIBTB082669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jun 2010 11:18:13 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240820c8513a692695@[10.20.30.158]>
In-Reply-To: <07D9A6FC-C154-4125-AC33-45F2CE0C0374@apple.com>
References: <p062408bbc8388055fb6d@[10.20.30.158]> <20100612013249.GA4782@isc.upenn.edu> <4C2A65B5.4080209@stpeter.im> <p06240842c8503b7c94bc@[10.20.30.158]> <20100630043158.GB26880@isc.upenn.edu> <p0624081dc8510ebfea3f@[10.20.30.158]> <07D9A6FC-C154-4125-AC33-45F2CE0C0374@apple.com>
Date: Wed, 30 Jun 2010 11:18:10 -0700
To: Love H�rnquist �strand <lha@apple.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Cc: certid@ietf.org
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 18:18:06 -0000

At 9:27 AM -0700 6/30/10, Love Hörnquist Åstrand wrote:
>I think that both "direct" and "indirect" SHOULD be allowed at the same time.
>
>The reason is that if you have a client that supports SRV lookups, in for example jabber, then you want to have the SRV name in there so the client can match the server cert with what the user typed.
>
>Of course there are jabber clients out there that don't support SRV lookup and want to to the normal direct mappings rules.
>
>Since the server doesn't really know what client they talk to it need to hand out a cert that matches both rules -> must hAve both for interop reasons.
>
>So the direct names are not used for intermediate values, they are only used with names what comes/is derived user input.

Unfortunately, I agree with this logic. I say "unfortunately" because it means that we then don't have a MUST, and therefore lose interoperability. For sanity, the document needs to say why it is OK to have both direct and indirect and what to do when they are both there, but I agree that we can't say MUST have only one.

--Paul Hoffman, Director
--VPN Consortium

v2.8.7 | Report a Bug | By Email