At 12:36 PM +0100 6/19/10, Alexey Melnikov wrote: >Hi Paul, > >Paul Hoffman wrote: > >> 1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName >> identifier of type dNSName). >> >> 2. If the service using the certificate deploys a technology in >> which a server is discovered by means of DNS SRV records >> [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate >> SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form >> of otherName from the GeneralName structure in the subjectAltName >> as specified in [SRVNAME]). >> >>If 2 is true, what is the value of the required DNS-ID? >> >One or more hostname for machines that would provide the specified service. >I.e. most likely some/all hostnames from the output of DNS SRV lookup, but I >can think of some examples where other hostnames can be used in addition to or >instead of these. E.g. a machine on internal network, hostname of a NAT box, >etc.
So a cert says "the hostname of this server is www.example.com, and you can look up the hostname for the server using SRV"? What does that mean in a security context? If I get back one name of yyy.example.com, does that mean that the host has both names, or that there was a lookup error? --Paul Hoffman, Director --VPN Consortium _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
