Re: [certid] Domain Components

[Peter Sylvester <peter.sylvester@edelweb.fr>]

On 06/23/2010 03:02 AM, Martin Rex wrote:
> =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
>    
>> Michael Ströder wrote:
>>      
>>> Paul Hoffman wrote:
>>>        
>>>> It tells us that, when there are multiple ways to do things, and some of
>>>> those ways are known to be insecure due to repeated poor implementations,
>>>> we can say "don't do that" for the bad ways.
>>>>          
>>> That's fine for me too.
>>>        
>> But to make that more clear in this context: The draft should not discourage
>> completely using DCs in the subject-DN. It should only recommend not to encode
>> the server's hostname in the DCs.
>>      
> Nope.  It is important to strongly recommend to clients to _NOT_
> check the server endpoint identity based on DC components, that is
> the important issue.  There is no known sensible, consistent
> and reasonably safe interpretation of DC name components
> as the hostname for a server endpoint.
>    

encoding and checking are two different things. There are two
subchapters. It is not incoherent IMO to recommend
encode a domain if and only if DCs are used at all,
and "discourage" checking in all cases.

> No implementation that doesn't have such code should add it,
>    
At least 'No one is required neither must be forced to add.'
is there any application that requires checking?
> and existing implementations with such code should think about
> removing it or disabling it by default.
>    
Implementations don't think, well, hm, for implementors
the situation might be less clear. Implementation details
are out of scope anyway