Shumon Huque wrote: > On Thu, Feb 21, 2008 at 12:58:03PM -0800, Justin Karneges wrote: >> On Thursday 21 February 2008 9:49 am, Peter Saint-Andre wrote: >>> First let's take Shumon's example of upenn.edu, which resolves via SRV >>> to jabber.upenn.edu. In this case, the certificate would include an >>> SRVName of _xmpp.jabber.upenn.edu, which would help the connecting >>> client (or server) to know that jabber.upenn.edu is the authorized >>> domain for connecting to the canonical XMPP service at upenn.edu (e.g., >>> thus knowing that the DNS SRV lookup did not return poisoned results). >> This is not my understanding. >> >> If I resolve SRV for _xmpp-client._tcp.upenn.edu and receive >> jabber.attacker.com as a result, and then I connect to jabber.attacker.com >> and receive a certificate containing SRVName of >> _xmpp-client.jabber.attacker.com, then I don't see the security improvement. > > No, you'd be expecting to see SRVName of _xmpp-client.upenn.edu.
_xmpp.upenn.edu or xmpp_.upenn.edu? > Presumably the operator of jabber.attacker.com would not be able > to persuade a reputable CA to issue him a certificate with > _xmpp-client.upenn.edu populated in the SRVName field. You'd hope so. :) Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
