On Fri, Jul 25, 2014 at 09:04:32AM +1000, Mark Andrews wrote:
> > The SNI discussion is also a bit unclear. To be nitpicking, someone pointed
> > out to me that SNI only supports hostnames. If we want to ask for service
> > domains we have to register a new type of SNI if I understood it correctly.
> > This means that section 6 discussion about SNI in section 6 that
> > recommends SNI with service domains is not really supported by SNI.
>
> The assumption is that one will share a port if the protocol permits
> it (e.g. HTTPS, SMTP) so there are scaling issues. 50000 names in
> a cert does not scale. Using the server name is the only real
> solution.
Note, with DANE-EE(3) the certificate name is immaterial, so the
same certificate works for all ports, but this is of course a
distraction. For any given service, sending the hostname is
generally sufficient to disambiguate hosted domains and return the
correct certificate. I also don't see a need for a new kind of
SNI here. My hope is that DANE adoption will in the future make
SNI generally unnecessary.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
