On 9 November 2015 at 15:51, James Cloos <[email protected]> wrote: > The service name is only supposed to be relevant iff ( the dns lookups are > not secure OR there is no TLSA ) . > > Where do you get this assertion from?
I would have thought that the reverse is true - the user-supplied identifier is always relevant, whereas derived identifiers are only relevant if the caller can derive them securely. TLSA has nothing to do with what names are validated at all; but if DNSSEC is used, one might even validate based on IP address.
