Peter, 1. I had an email problem so probably missed the discussion, however I do not understand the current text for the example of a delegated domain. I would suggest text, but as I am running on I don't understand that is not possible. Is this supposed to be some type of mapping that says the domain X is really the domain Y?
2. In the definition of reference identifier s/optionally/optionally/ 3. In section 2.1 you have the sentence "This dimension matters most for certificate verification." Would this be more appropriate as s/verification/consumption/ ? The process of certificate verification does not really care, but the name matching does. 4. In the definitions you might want to add one for "automated client" to match "interactive client" 5. On page 20, the following text exists: For an interactive client, it is strongly encouraged that each reference identifier SHOULD be based on the source domain provided by the user and SHOULD NOT be based on a derived domain (e.g., a host name or domain name discovered through DNS resolution of the source domain). I am not clear why this is important for interactive clients and not for automated clients. 6. In section 4.6.2 - I am disappointed that the concept of checking that the context is either the same or similar is not also included in this check. I think this is an important concept. Jim > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Peter Saint-Andre > Sent: Wednesday, October 20, 2010 9:36 AM > To: IETF cert-based identity > Subject: [certid] Fwd: I-D Action:draft-saintandre-tls-server-id-check-10.txt > > Finally! The diff is here: > > http://tools.ietf.org/rfcdiff?url2=draft-saintandre-tls-server-id-check-10 > > -------- Original Message -------- > Subject: I-D Action:draft-saintandre-tls-server-id-check-10.txt > Date: Wed, 20 Oct 2010 09:30:02 -0700 (PDT) > From: [email protected] > Reply-To: [email protected] > To: [email protected] > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > Title : Representation and Verification of Domain-Based > Application Service Identity within Internet Public Key Infrastructure Using > X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) > Author(s) : P. Saint-Andre, J. Hodges > Filename : draft-saintandre-tls-server-id-check-10.txt > Pages : 46 > Date : 2010-10-20 > > Many application technologies enable a secure connection between two > entities by means of Internet Public Key Infrastructure Using X.509 > (PKIX) certificates in the context of Transport Layer Security (TLS). > This document specifies best current practices for representing and verifying > the identity of application services in such interactions. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-saintandre-tls-server-id-check-10.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the Internet- > Draft. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
