Rick van Rein wrote: >> 1. If you're using TLS there's AFAIK no specification how to implement the TLS >> hostname check (see https://tools.ietf.org/html/rfc6125) to prevent MITM attacks. > > IMHO, the hostname check is immaterial (and potentially confusing, when > hosting multiple dc=,dc= trees) Not sure I understand "immaterial". One would have to right a spec which maps the "name" (here LDAP URL) used by the client to something stored in the TLS server cert. Also note that subjectAltName extension can contain an URI. > but DANE can be helpful by checking cert > or key, regardless of naming information in the certificate, > > https://tools.ietf.org/html/rfc6698 I expected somebody to raise the DANE hype. Note that DANE requires DNSSEC to be really secure. Also someone would have to write a spec detailing how to map ldap:///dc=example,dc=com to DANE (DNS) name (just like a spec is needed for TLS hostname check). Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature