Hi Paul,
Paul Hoffman wrote:
At 12:36 PM +0100 6/19/10, Alexey Melnikov wrote:
Hi Paul,
Paul Hoffman wrote:
1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName
identifier of type dNSName).
2. If the service using the certificate deploys a technology in
which a server is discovered by means of DNS SRV records
[DNS-SRV] (e.g., this is true of [XMPP]), then the certificate
SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form
of otherName from the GeneralName structure in the subjectAltName
as specified in [SRVNAME]).
If 2 is true, what is the value of the required DNS-ID?
One or more hostname for machines that would provide the specified service. I.e. most likely some/all hostnames from the output of DNS SRV lookup, but I can think of some examples where other hostnames can be used in addition to or instead of these. E.g. a machine on internal network, hostname of a NAT box, etc.
So a cert says "the hostname of this server is www.example.com, and you can look up
the hostname for the server using SRV"? What does that mean in a security context?
This is a good question and it took me some time to gather thoughts on
how to reply to it.
If I get back one name of yyy.example.com, does that mean that the host has
both names, or that there was a lookup error?
In general it can be either, or neither. I don't think one can draw any
conclusion. Let me try to do a more detailed explanation on how this is
supposed to work (at least with the current version of the document):
Let's say we have a certificate with (I might be getting the syntax
wrong, but you should get the idea of what I mean)
dNSName: imap.example.com
sRVName: _imap._tcp.example.com
I've change www.example.com to imap.isode.com, as there is now a
specification about how to use DNS SRV for locating IMAP servers. But
the idea applies to other services.
So the document says that a client using DNS SRV must check sRVName
first. Only if sRVName is not found, then it can check the dNSName.
So a client doing DNS SRV lookup for service "imap" for domain
"example.com" wouldn't care if the returned hostname is imap.example.com
or yyy.example.com.
Another client which is explicitly configured with hostname will only
check the dNSName value and will not check any sRVName values.
There might be several reasons why DNS SRV might return something
different from "imap.example.com": different hostnames used on internal
and external networks (due to NATs), clustering, etc. So clients
shouldn't automatically check if sRVName resolves to one or more of
dNSName values specified in the same certificate.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
