Re: [certid] What DNS-ID if also using a DNS-SRV?
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 30 June 2010 18:35 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 4D6383A68F6 for <certid@core3.amsl.com>;
Wed, 30 Jun 2010 11:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.554
X-Spam-Level:
X-Spam-Status: No, score=-1.554 tagged_above=-999 required=5 tests=[AWL=-0.351,
BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L+creNzdiduA for
<certid@core3.amsl.com>; Wed, 30 Jun 2010 11:35:03 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by
core3.amsl.com (Postfix) with ESMTP id C819F3A67ED for <certid@ietf.org>;
Wed, 30 Jun 2010 11:35:02 -0700 (PDT)
Received: from [172.16.2.136] (shiny.isode.com [62.3.217.250]) by
rufus.isode.com (submission channel) via TCP with ESMTPA id
<TCuOYAB1H0sm@rufus.isode.com>; Wed, 30 Jun 2010 19:35:12 +0100
Message-ID: <4C2B8E43.7070806@isode.com>
Date: Wed, 30 Jun 2010 19:34:43 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <p062408bbc8388055fb6d@[10.20.30.158]>
<20100612013249.GA4782@isc.upenn.edu> <4C2A65B5.4080209@stpeter.im>
<p06240842c8503b7c94bc@[10.20.30.158]> <20100630043158.GB26880@isc.upenn.edu>
<p0624081dc8510ebfea3f@[10.20.30.158]>
<07D9A6FC-C154-4125-AC33-45F2CE0C0374@apple.com>
<p06240820c8513a692695@[10.20.30.158]>
In-Reply-To: <p06240820c8513a692695@[10.20.30.158]>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: quoted-printable
Cc: certid@ietf.org
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 18:35:04 -0000
Paul Hoffman wrote: >At 9:27 AM -0700 6/30/10, Love Hörnquist Åstrand wrote: > > >>I think that both "direct" and "indirect" SHOULD be allowed at the same time. >> >>The reason is that if you have a client that supports SRV lookups, in for example jabber, then you want to have the SRV name in there so the client can match the server cert with what the user typed. >> >>Of course there are jabber clients out there that don't support SRV lookup and want to to the normal direct mappings rules. >> >>Since the server doesn't really know what client they talk to it need to hand out a cert that matches both rules -> must hAve both for interop reasons. >> >>So the direct names are not used for intermediate values, they are only used with names what comes/is derived user input. >> >> >Unfortunately, I agree with this logic. > I agree with this logic too (without "unfortunately" ;-)). >I say "unfortunately" because it means that we then don't have a MUST, and therefore lose interoperability. For sanity, the document needs to say why it is OK to have both direct and indirect and what to do when they are both there, but I agree that we can't say MUST have only one. > > I think a document specifying how to perform TLS server identity verification for a particular protocol can specify if only one of them can be allowed (and which one), or if both can be allowed. This addresses interoperability for a particular protocol.
- [certid] What DNS-ID if also using a DNS-SRV? Paul Hoffman
- Re: [certid] What DNS-ID if also using a DNS-SRV? Shumon Huque
- Re: [certid] What DNS-ID if also using a DNS-SRV? Alexey Melnikov
- Re: [certid] What DNS-ID if also using a DNS-SRV? Paul Hoffman
- Re: [certid] What DNS-ID if also using a DNS-SRV? Alexey Melnikov
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre
- Re: [certid] What DNS-ID if also using a DNS-SRV? Paul Hoffman
- Re: [certid] What DNS-ID if also using a DNS-SRV? Shumon Huque
- Re: [certid] What DNS-ID if also using a DNS-SRV? Shumon Huque
- Re: [certid] What DNS-ID if also using a DNS-SRV? Paul Hoffman
- Re: [certid] What DNS-ID if also using a DNS-SRV? Martin Rex
- Re: [certid] What DNS-ID if also using a DNS-SRV? Love Hörnquist Åstrand
- Re: [certid] What DNS-ID if also using a DNS-SRV? Paul Hoffman
- Re: [certid] What DNS-ID if also using a DNS-SRV? Alexey Melnikov
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre
- Re: [certid] What DNS-ID if also using a DNS-SRV? Paul Hoffman
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre
- Re: [certid] What DNS-ID if also using a DNS-SRV? Martin Rex
- Re: [certid] What DNS-ID if also using a DNS-SRV? Scott Lawrence
- Re: [certid] What DNS-ID if also using a DNS-SRV? Shumon Huque
- Re: [certid] What DNS-ID if also using a DNS-SRV? Shumon Huque
- Re: [certid] What DNS-ID if also using a DNS-SRV? Shumon Huque
- Re: [certid] What DNS-ID if also using a DNS-SRV? SM
- Re: [certid] What DNS-ID if also using a DNS-SRV? Peter Saint-Andre