[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [authmeth] secure derivations of server hostname
Roger Harrison wrote:
There is an outstanding work item, G.25, in authmeth-05 regarding
the use of derived forms of the server's name when performing a the
server identity check while processing a StartTLS request. Currently,
the wording of section 4.1.6 says:
"The client MUST use the server hostname it used to open the LDAP
connection as the value to compare against the server name as expressed
in the server's certificate. The client MUST NOT use any other derived
form of name including the server's canonical DNS name."
According to my notes, Bob Morgan offered to provide some wording that
would relax this restriction to allow usage of derivations of the server
name that are provided securely. If Bob or some other knowledgeable
member of the WG would help me with the proper wording or some
information about what is acceptable, I will make the needed changes and
close out the work item.'
Could you please give some examples of "derivations of the server
name that are provided securely"? Is this about using host names in X.509v3
subjectAltName extension? I'm rather scared about relaxing this since I
suspect that unsecure DNS is used to get the derivation of the server name.
Ciao, Michael.