RE: Defining an SRV RR Other name in pkix

["Stefan Santesson" <stefans@xxxxxxxxxxxxx>]

Steve,

I agree that it would be useful to have a close discussion with DNS
folks, especially when developing appropriate security considerations.
But I'm not sure that is necessary for the decision to create this name
form.

The SRV RR concept already exists in use so there is nothing new that
needs to be added to the DNS concept to make use of this name form in
certificates.

Clients that currently use the SRV RR to locate a host may not have any
knowledge about any other name of the service or its host that it can
bind to.

SO unless there is a SRV RR in the certificate that matches the
requested service, the client may not be able to determine if the DNS
server provided an appropriate DNS host name in response to the request,
opening up the field for a DNS spoofing attack.

I can't see any harm in adding this capability to the set off available
name forms that can be expressed in a certificate.

Do you think this group needs more input to take the decision to create
this other name?


Stefan Santesson
Program Manager, Standards Liaison
Windows Security
 

> -----Original Message-----
> From: Stephen Kent [mailto:kent@xxxxxxx]
> Sent: den 13 juni 2005 17:42
> To: Stefan Santesson
> Cc: ietf-pkix@xxxxxxxx; Tim Polk; Sam Hartman; housley@xxxxxxxxxxxx
> Subject: Re: Defining an SRV RR Other name in pkix
> 
> Stefan,
> 
> I think you should coordinate this with some folks in the DNS arena,
> as well.  There have been many proposals for extensions to DNS, or
> ancillary technology that relies on DNS, that have foundered because
> of subtle issues associated with DNS management, server software
> limitations, etc.
> 
> Steve