> The use of SRV-IDs is supposed to ensure that the client connects to the > service type it wanted from among the services available at the DNS name > it wanted. However, given that... > > - The client's list of reference identifiers MUST include a DNS-ID > (section 6.2.10)
you mean S6.2.1, yes? > - The examples of server certificates that include a SRV-ID (section > 4.2) also include a DNS-ID > - The server ID check succeeds if any reference identifier matches any > presented identifier (section 6.3) > > it would appear that the DNS-IDs will always match, making the service > types in the SRV-IDs irrelevant. Am I right? thx for the headsup, but I don't think so, see section 6.5... ### 6.5. Matching the Application Type Portion If a client supports checking of identifiers of type SRV-ID and URI-ID, it MUST also check the service type of the application service with which it communicates (in addition to checking the domain name as described above). This is a best practice because typically a client is not designed to communicate with all kinds of services using all possible application protocols, but instead is designed to communicate with one kind of service, such as websites, email services, VoIP services, or IM services. The service type is verified by means of an SRV-ID or a URI-ID. 6.5.1. SRV-ID The service name portion of an SRV-ID (e.g., "imaps") MUST be matched in a case-insensitive manner, in accordance with [DNS-SRV]. Note that the "_" character is prepended to the service identifier in DNS SRV records and in SRV-IDs (per [SRVNAME]), and thus does not need to be included in any comparison. 6.5.2. URI-ID The scheme name portion of a URI-ID (e.g., "sip") MUST be matched in a case-insensitive manner, in accordance with [URI]. Note that the ":" character is a separator between the scheme name and the rest of the URI, and thus does not need to be included in any comparison. ### I note that we should fix the S6.5 title to be.. "Matching the Application Service Type Portion" ..or simply.. "Matching the Application Service Type" thanks, =JeffH _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
