On 06/23/2010 03:02 AM, Martin Rex wrote:
=?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
Michael Ströder wrote:
Paul Hoffman wrote:
It tells us that, when there are multiple ways to do things, and some of
those ways are known to be insecure due to repeated poor implementations,
we can say "don't do that" for the bad ways.
That's fine for me too.
But to make that more clear in this context: The draft should not discourage
completely using DCs in the subject-DN. It should only recommend not to encode
the server's hostname in the DCs.
Nope. It is important to strongly recommend to clients to _NOT_
check the server endpoint identity based on DC components, that is
the important issue. There is no known sensible, consistent
and reasonably safe interpretation of DC name components
as the hostname for a server endpoint.
encoding and checking are two different things. There are two
subchapters. It is not incoherent IMO to recommend
encode a domain if and only if DCs are used at all,
and "discourage" checking in all cases.
No implementation that doesn't have such code should add it,
At least 'No one is required neither must be forced to add.'
is there any application that requires checking?
and existing implementations with such code should think about
removing it or disabling it by default.
Implementations don't think, well, hm, for implementors
the situation might be less clear. Implementation details
are out of scope anyway
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
