On 23 jun 2010, at 16.33, Richard L. Barnes wrote: > In principle, example.com is the proper domain to authenticate, but in > practice, that causes a lot of problems. Consider the case where the target > of the redirection is a separate entity from the origin; this could arise, > for example, in a situation whereexample.com has outsourced its calendaring > services to calendardserverfoobar.com.
So, the "connect the dots" is to: - Announce the fact example.com is hosted at calendarserverfoobar.com (with some URL) in DNS - Secure that announcement in DNS with DNSSEC - Verify the SSL (for example) cert for the connection to calendarserverfoobar.com matches - Do application layer authentication etc over the then encrypted connection Sounds ok? Patrik
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf