=?ISO-8859-1?Q?Michael_Str=F6der?= wrote: > > Michael Ströder wrote: > > Paul Hoffman wrote: > >> It tells us that, when there are multiple ways to do things, and some of > >> those ways are known to be insecure due to repeated poor implementations, > >> we can say "don't do that" for the bad ways. > > > > That's fine for me too. > > But to make that more clear in this context: The draft should not discourage > completely using DCs in the subject-DN. It should only recommend not to encode > the server's hostname in the DCs.
Nope. It is important to strongly recommend to clients to _NOT_ check the server endpoint identity based on DC components, that is the important issue. There is no known sensible, consistent and reasonably safe interpretation of DC name components as the hostname for a server endpoint. No implementation that doesn't have such code should add it, and existing implementations with such code should think about removing it or disabling it by default. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
