Re: [certid] Review of draft-saintandre-tls-server-id-check

[Stefan Santesson <stefan@aaa-sec.com>]

On 10-09-13 7:03 PM, "Shumon Huque" <shuque@isc.upenn.edu> wrote:
>> 
>> Authorized by whom? I *think* that here the DNS domain name is one that
>> the certified subject has itself authorized (perhaps even "established"
>> is better) to provide the desired service. Therefore I suggest an
>> alternative wording:
>> 
>>      "A DNS domain name which the certified subject has
>>       authorized to provide the identified service."
>> 
>> Peter
> 
> I don't think the term "authorized" makes the situation any
> clearer.
> 
> Let's take a concrete example: an IMAP client attempting to
> connect to and use the IMAP service at "example.com".
> 
> It needs to lookup the "_imap._tcp.example.com." DNS SRV record
> to figure out which servers and ports to connect to.
> 
> And in the presented certificate, it needs to expect to find an
> SRVName identifier with "_imap.example.com" as its contents,
> where the _Service and Name components were the same ones it used
> in the SRV query.
> 
> There is no need to figure out who authorized what.

I agree here. Both to this and to former speakers stating that the assertion
is made by the CA and no the subject.

I'm struggling with the most easy to understand text, but I think this says
at least the correct thing:

      "A DNS domain name, representing a domain for which the certificate
       issuer has asserted that the certified subject is a legitimate
       provider of the identified service."

/Stefan