On 2015-11-08 17:45, James Cloos wrote: > When TLSA records are used, the SRV destination should be the only name > checked for in the certs.
RFC 7673 says both the service name and the SRV target name IFF the SRV record is secure (per the DNSSEC definition). If not, use only the service name, as you do not have a secure delegation from the service name (what the user actually entered) to the SRV target (could be cache poisoned). Further, it states that in both cases, the service name is used for SNI. > It would be best for xmpp to target that model for all TLS usage. It is > much easier than the pre-tlsa options are. Can you elaborate on why it is easier? As a server implementer, I disagree. -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
