On 18/01/2012 17:43, Alexey Melnikov wrote:
Hi Brian,
On 18/01/2012 16:16, Brian Trammell wrote:
On Jan 18, 2012, at 3:38 PM, Alexey Melnikov wrote:
[...]
RID systems MUST provide for the verification of the identity of a
RID system peer presenting a valid and trusted certificate, by
verifying the fully-qualified domain name and service name from
the
DNS SRV record, if available, against that stored in the
certificate,
I am confused: this is the first time DNS SRV records are mentioned
(BTW, they need a Normative Reference). Earlier text seem to
suggest that DNS SRV are not used to locate protocol endpoints. If
RID is using DNS SRV, then information about how it is used is
missing from the document.
It doesn't. Was trying to point out here that SRV must be matched
if (for deployment-specific reasons) it was present. This is simply
a poor attempt at citing 6125.
SRV-ID are really only applicable to protocols which are using DNS
SRV. So I would have prohibited them... But if you want to keep
using them, you need to specify what is the service name you would
expect in them.
Indeed. We don't, so, removed. Thanks for the clarification.
Actually, since the binding between RID and a PKI is better defined
in rfc6045-bis, 6046-bis now refers to it, as follows:
Each RID system SHOULD authenticate its peers via a PKI as detailed
in Section 9.3 of [I-D.ietf-mile-rfc6045-bis].
Would this address the concern?
Let me check.
So the text in rfc6045bis seems to suggest that all server certificates
will be verified based on some prior arrangement. Is my understanding
correct?
Many thanks, best regards,
Brian
as in Section 6 of [RFC6125].
RFC 6125 allows for various options and this paragraph doesn't
seem to cover all of them. I suggest you check Section 13.7.1.2.1
of RFC 6120 for an example of what should be specified (ignore
XmppAddr identifier type, as it is very XMPP specific). For X.509
SANs which are disallowed, you should say so.
Will do. (6125 is missing something here, a guide for using it in
other specs...)
Best regards,
Brian
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art