On Wed, Sep 08, 2010 at 11:08:29PM +0200, Stefan Santesson wrote: > > On 10-09-08 9:53 PM, "Shumon Huque" <[email protected]> wrote: > > The output of the SRV record lookup contains a target hostname, > > not a service name, so it's not applicable to the SRVName name > > form. The target could be used in another name form (dNSName) > > as the reference identifier, but then the client needs to convince > > itself that the lookup was done securely (DNSSEC or some other > > means) otherwise there's a security problem. > > I disagree, > > A client can use the output from the DNS lookup also from a normal insecure > DNS server. > > The only thing the client need to do is to verify that the domain name > provided in the input to the lookup matches the host names provided in the > output. It can then safely use the host names in the SRV record as reference > identifiers IF the SRV-ID in the server certificate matches the the > reference identifier.
This only works if the certificate matching rules say something like "match the SRVName AND also match the DNS resolved target hostname in dNSName". If a client attempts to match _only_ the DNS resolved hostname without DNSSEC, there is a security problem. The question is: what should the certificate matching rules say when encountering a certificate with multiple identity types? Right now the draft approximately says "find a match" (ie. find ANY match), rather than match some logically AND'ed combination of identity types. http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4 -- Shumon Huque University of Pennsylvania. _______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
