Hi!
Re-reading I found another issue that confuses me a bit:
"SRV is secure: The reference identifiers SHALL include both the
service domain and the SRV target server host name (e.g., include
both "im.example.com" and "xmpp23.hosting.example.net"). The
target server host name is the preferred name for TLS SNI or its
equivalent."
Why SHALL we include the service domain? I thought the reasoning here
was that the signed chain was the proof of authorization to handle a specific
service domain. I don't really see the point in having the service domain
in the cert as this generates issues with multi-hosting (as previously
discussed).
Again I may have missed previous conversation, so feel free to tell me to shut
up and send me pointers to those ;-)
The SNI discussion is also a bit unclear. To be nitpicking, someone pointed
out to me that SNI only supports hostnames. If we want to ask for service
domains we have to register a new type of SNI if I understood it correctly.
This means that section 6 discussion about SNI in section 6 that
recommends SNI with service domains is not really supported by SNI.
Cheers,
/O
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
