Philip Homburg <[email protected]> wrote:
>>    I am also fairly skeptical about solutions like this being
>>    "generally" useful for client auth, due to the very low penetration
>>    of DNSSEC deployment

> It would be a lot easier if instead of [client-domain-name] it would be
> [identity-provider-domain-name]. Under the assumption that organizations
> that can provide identity can also handle DNSSEC.

Yes, that option is supported by the draft. You can also read
[client-domain-name] more generally, such that it could be located inside
an identity provider's domain.

The example name constructions are non prescriptive. An application (or
deployment) can use another form of client domain name, as long as the DANE
TLS server application is configured to accept those forms (authorization).

Shumon.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to