Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Wed, 18 Jan 2012 10:01:53 -0800 

On 18/01/2012 17:43, Alexey Melnikov wrote:

Hi Brian,

On 18/01/2012 16:16, Brian Trammell wrote:

On Jan 18, 2012, at 3:38 PM, Alexey Melnikov wrote:

 [...]

   RID systems MUST provide for the verification of the identity of a
   RID system peer presenting a valid and trusted certificate, by
verifying the fully-qualified domain name and service name from the DNS SRV record, if available, against that stored in the certificate, 

I am confused: this is the first time DNS SRV records are mentioned
(BTW, they need a Normative Reference). Earlier text seem to suggest that DNS SRV are not used to locate protocol endpoints. If RID is using DNS SRV, then information about how it is used is missing from the document.
It doesn't. Was trying to point out here that SRV must be matched if (for deployment-specific reasons) it was present. This is simply a poor attempt at citing 6125.
SRV-ID are really only applicable to protocols which are using DNS SRV. So I would have prohibited them... But if you want to keep using them, you need to specify what is the service name you would expect in them. 
Indeed. We don't, so, removed. Thanks for the clarification.
Actually, since the binding between RID and a PKI is better defined in rfc6045-bis, 6046-bis now refers to it, as follows: 

    Each RID system SHOULD authenticate its peers via a PKI as detailed
    in Section 9.3 of [I-D.ietf-mile-rfc6045-bis].

Would this address the concern?

Let me check.
So the text in rfc6045bis seems to suggest that all server certificates will be verified based on some prior arrangement. Is my understanding correct? 


Many thanks, best regards,

Brian


   as in Section 6 of [RFC6125].
RFC 6125 allows for various options and this paragraph doesn't seem to cover all of them. I suggest you check Section 13.7.1.2.1 of RFC 6120 for an example of what should be specified (ignore XmppAddr identifier type, as it is very XMPP specific). For X.509 SANs which are disallowed, you should say so.
Will do. (6125 is missing something here, a guide for using it in other specs...) 

Best regards,

Brian


_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art

Reply via email to