Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert

Peter Sylvester <> Mon, 14 June 2010 19:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1EA2B3A697A for <>; Mon, 14 Jun 2010 12:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.139
X-Spam-Status: No, score=-0.139 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_40=-0.185]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7w2IcEQJnAsj for <>; Mon, 14 Jun 2010 12:18:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E6C443A6948 for <>; Mon, 14 Jun 2010 12:18:22 -0700 (PDT)
Received: from varuna.puteaux.on-x (varuna.puteaux.on-x []) by (Postfix) with ESMTP id 055A696 for <>; Mon, 14 Jun 2010 18:09:26 +0200 (CEST)
Received: from (mintaka.puteaux.on-x []) by varuna.puteaux.on-x (Postfix) with ESMTP id 39F5717061 for <>; Mon, 14 Jun 2010 18:09:24 +0200 (CEST)
Received: from [] ( []) by (Postfix) with ESMTP id 1278877D8 for <>; Mon, 14 Jun 2010 18:09:14 +0200 (CEST)
Message-ID: <>
Date: Mon, 14 Jun 2010 18:08:24 +0200
From: Peter Sylvester <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100423 Thunderbird/3.0.4
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jun 2010 19:18:24 -0000

> TLS does not need to know anything about DNS (server) names involved
> in a communication.  That is, and has always been, clearly specified
> by all versions of TLS to be entirely an application matter.
... and a server doesn't need to have a DNS name at all.

I am not whether I understand (or ever understood) what
SNI is for, at least I'd say that if an application protocol that
uses dns names to identify different application level endpoints
(which is common due to ip address shortage),
and if the application wants to use different TLS protection
mechanisms for each of the endpoints, or , when the
client part would expect this as a possibility, either in general
for the application or in particular for the intended
communication, the  client protocol client needs
a way to communicate the desired dnsname to TLS layer
and to the application entity,  the latter not necessarily in theory
if TLS is always used. SNI is one way to do the first.

A priori, it has nothing to do with certificates,
in SRP/TLS authentication one may not even have such things,
in practice, for at least one not totally unimportant protocol,
the only "visible" effect is the usage of different certificates to
be used for authentication.

an (theoretical) application protocol for example could
require an IP matching address in order to recognize
a server endpoint.