On 8/3/10 11:46 PM, Stefan Winter wrote: > Hi, > >> Besides DNSSEC, or some other secure mapping service, I can't think >> of an obvious one. You'd need to figure out how to encode the service >> identity in the DNS query name, which is precisely the thing the >> S-NAPTR lookup is trying to find. >> > > Thanks for giving this some thought! > >>> And do you consider disususing this issue in your draft? >>> >>> >> Are you proposing to just discuss this issue, or that we should >> try to find a solution to the problem? >> > > I wouldn't mind if you try to solve it, of course :-) But since there is > apparently no trivial "fix" to server id validation, I'd be just as > happy with a simple paragraph stating that validation of > (S-)NAPTR-derived identities doesn't work in a trusted manner without > DNSSEC. > > (But that's just me, since I don't mind prescribing DNSSEC in my draft; > but my working group chair already expressed that he'd prefer something > else)
I've added a note about this to our working copy (Jeff and I are working to push out -09 today). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
