Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

[Peter Saint-Andre <stpeter@stpeter.im>]

Regarding NAPTR...

On 12/6/10 10:19 AM, Ben Campbell wrote:

> -- 1.4.2, 2nd bullet item: "We also do not address identifiers
> derived from Naming Authority Pointer (NAPTR) DNS resource records
> [NAPTR] and related technologies such as [S-NAPTR], since such
> identifiers cannot be validated in a trusted manner in the absence of
> [DNSSEC]."
> 
> Does that mean validation of a source domain that will be used to
> construct a NAPTR request is out of scope, or just validation against
> the result of a NAPTR query? (I note SIP may require the first).

Ben, the current text in the I-D is lame. The points we were trying to
make, but poorly, are that (1) there are no identifiers for NAPTR
records, as there are for SRV records, and (2) from the perspective of
this spec it doesn't really matter how you get from the source domain to
the IP address you use for communication (perhaps you do the A/AAAA
one-step, the SRV two-step, or the NAPTR three-step, but that's
immaterial for the purpose of identity checking).

Point #1 is close to obvious, so I suggest that we remove the offending
sentence and add this paragraph near the end of Section 1.4.2:

   Although the process whereby a client resolves the DNS domain name of
   an application service can involve several steps (e.g., this is true
   of resolutions that depend on DNS SRV resource records, Naming
   Authority Pointer (NAPTR) DNS resource records [NAPTR], and related
   technologies such as [S-NAPTR]), for our purposes we care only about
   the fact that the client needs to verify the identity of the entity
   with which it communicates as a result of the resolution process.
   The resolution process itself is out of scope.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/