draft-saintandre-tls-server-id-check-11, section 3.2 says: A certificate for the IMAP-accessible email server at "mail.example.net" might include SRV-IDs of "_imap.mail.example.net" and "_imaps.mail.example.net" (see [EMAIL-SRV]) and a DNS-ID of "mail.example.net".
As I understand it, the SRV-ID is based on the source domain, not the derived domain, and so "_imap.mail.example.net" would only be correct if you were expecting clients to do a SRV lookup for "_imap._tcp.mail.example.net". But the more usual case would be doing a lookup for "_imap._tcp.example.net", in which case the corresponding SRV-ID would "_imap.example.net". Right? So the example should say something like A certificate for the IMAP-accessible email server at "mail.example.net", which is pointed to by the SRV records "_imap._tcp.example.net" and "_imaps._tcp.example.net", might include SRV-IDs of "_imap.example.net" and "_imaps.example.net" (see [EMAIL-SRV]) and a DNS-ID of "mail.example.net". Likewise for the XMPP example that follows it, and the corresponding examples in 4.2.2. -- Dan _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
