>>>>> "DC" == Dave Cridland <[email protected]> writes:
>> The service name is only supposed to be relevant iff ( the dns lookups are >> not secure OR there is no TLSA ) . DC> Where do you get this assertion from? DC> I would have thought that the reverse is true - the user-supplied DC> identifier is always relevant, whereas derived identifiers are only DC> relevant if the caller can derive them securely. DC> TLSA has nothing to do with what names are validated at all; but if DC> DNSSEC is used, one might even validate based on IP address. Dnssec secure the path from the service name to the server name. As long as that path is secure, the (tls-)client knows that the target server is right for the service in question, provided that the offerred cert matches the TLSA RR. With DANE there is no need for SNI. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6
