On Mon, 2011-01-17 at 11:57 -0800, =JeffH wrote: > > The use of SRV-IDs is supposed to ensure that the client connects to the > > service type it wanted from among the services available at the DNS name > > it wanted. However, given that... > > > > - The client's list of reference identifiers MUST include a DNS-ID > > (section 6.2.10) > > you mean S6.2.1, yes?
Yes (typo) > > - The examples of server certificates that include a SRV-ID (section > > 4.2) also include a DNS-ID > > - The server ID check succeeds if any reference identifier matches any > > presented identifier (section 6.3) > > > > it would appear that the DNS-IDs will always match, making the service > > types in the SRV-IDs irrelevant. Am I right? > > thx for the headsup, but I don't think so, see section 6.5... > > ### > > 6.5. Matching the Application Type Portion > > > If a client supports checking of identifiers of type SRV-ID and > URI-ID, it MUST also check the service type of the application > service with which it communicates (in addition to checking the > domain name as described above). [...] > ### Maybe I am misunderstanding how that section applies. Let's consider an example. Reference identifiers: 1. SRV-ID _imaps.example.net 2. DNS-ID example.net Presented identifiers: 3. SRV-ID _xmpp-server.example.net 4. DNS-ID example.net The client checks each reference identifier against each presented identifier (section 6.3). #1 and #3: The service types differ, so no match. #1 and #4: One identifier specifies a service type and the other doesn't. The behavior in this case is not spelled out, but I would assume there is no match. #2 and #3: Ditto. #2 and #4: Neither identifier specifies service type, and the DNS names are the same. Is this a match? If so, we get the problem I originally described. Are you saying that a client that "supports checking of identifiers of type SRV-ID and URI-ID" MUST NOT compare two DNS-IDs, because they do not contain the service type information that the client is required to check? If so, then in the following example: Reference identifiers: 1. SRV-ID _imaps.example.net 2. DNS-ID example.net Presented identifiers: 4. DNS-ID example.net we would get "no match", when it seems a match would be helpful for backward compatibility. -- Matt _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
