Re: Review of draft-saintandre-tls-server-id-check

[Stefan Santesson <stefan@aaa-sec.com>]

Peter,

On 10-09-13 6:08 PM, "Peter Saint-Andre" <stpeter@stpeter.im> wrote:
> 
> Hi Shumon,
> 
> As I see it, this I-D is attempting to capture best current practices
> regarding the issuance and checking of certificates containing
> application server identities. Do we have evidence that any existing
> certification authorities issue certificates containing both an SRVname
> for the source domain (e.g., example.com) and dNSName for the target
> domain (e.g., apphosting.example.net)? Do we have evidence that any
> existing application clients perform such checks? If not, I would
> consider such complications to be out of scope for this I-D.
> 
> That said, we need to be aware that if such usage arises in the future,
> someone might write a document that updates or obsoletes this I-D; in
> fact the present authors very much expect that such documents will
> emerge after the Internet community (specifically certification
> authorities, application service providers, and application client
> developers) have gained more experience with PKIX certificates in the
> context of various application technologies.
> 
> Peter

I would like to turn the question around and ask why this specification need
to have an opinion on whether a relying party feels he have to check both
host name and service?

I'm not against describing the typical case, as long as this specification
does not imply that a relying party that has a reason to check two name
types is doing something wrong.

I have no extremely good examples of practical implementation here but
checking both host name and service seems like both extremely easy and good
practice.

/Stefan