On Sun, Jul 18, 2010 at 08:17:22AM -0700, Paul Hoffman wrote: > At 11:29 PM -0400 7/17/10, Shumon Huque wrote: > >On Thu, Jul 15, 2010 at 04:29:07PM -0700, Paul Hoffman wrote: > >> At 4:08 PM -0700 7/15/10, The IESG wrote: > >> >The IESG has received a request from an individual submitter to consider > >> >the following document: > >> > > >> >- 'Representation and Verification of Domain-Based Application Service > >> > Identity in Certificates Used with Transport Layer Security ' > >> > <draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard > >> > >> > >> The middle of Section 4.2 says: > >> The client then orders the list in accordance with the following > >> rules: > >> Then, in 4.3, it checks each reference in this ordered list until > >> it (hopefully) finds a match. Given that it is going to do an > >> exhaustive search, what is the purpose of ordering? > > > >Not sure I'm following your question, but the purpose of ordering > >is to look for the subject identities in preference order (SRV/URI, > >before dNSName, before Common Name etc). Once a match is found, > >the search is aborted; an exhaustive search is only performed if > >the matched identity is the last one or there is no match. Section > >4.3 has: > > > > It does so by seeking a match in preference order > > and aborting the search if any presented identifier matches one of > > its reference identifiers. The search fails if the client exhausts > > its list of reference identifiers without finding a match. > > I understand that, but what is the advantage of searching in the preferred > order over, say, searching in random order of the pile? I don't see an > advantage of getting a result from the more-preferred identity if you are > eventually going to accept anything. > > If there is no advantage, the "sort the pile before searching" step adds > complexity without benefit, and thus should be dropped. If there is some > advantage, I'm fine with it being there. > > --Paul Hoffman, Director > --VPN Consortium
Well, one reason would be to reduce the number of verification steps imposed on a client by a certificate with a more preferred or more specific identity type. -- Shumon Huque University of Pennsylvania. _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
