[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Defining an SRV RR Other name in pkix

To: "Sam Hartman" <hartmans-ietf@xxxxxxx>
Subject: RE: Defining an SRV RR Other name in pkix
From: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Date: Tue, 14 Jun 2005 12:12:14 +0100
Cc: "Stephen Kent" <kent@xxxxxxx>, <ietf-pkix@xxxxxxxx>, "Tim Polk" <tim.polk@xxxxxxxx>, <housley@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcVwWTvAY5J7y2l0RgW0D6s8L6SrPQAdkw1Q
Thread-topic: Defining an SRV RR Other name in pkix

Sam,

May I just ask for a clarification.

What do you mean by "that way"

The Overview and rationale section of RFC 2782 states:

   Currently, one must either know the exact address of a server to
   contact it, or broadcast a question.

   The SRV RR allows administrators to use several servers for a single
   domain, to move services from host to host with little fuss, and to
   designate some hosts as primary servers for a service and others as
   backups.

   Clients ask for a specific service/protocol for a specific domain
   (the word domain is used here in the strict RFC 1034 sense), and get
   back the names of any available servers.

The Applicability statement further states:

   In general, it is expected that SRV records will be used by clients
   for applications where the relevant protocol specification indicates
   that clients should use the SRV record. Such specification MUST
   define the symbolic name to be used in the Service field of the SRV
   record as described below. It also MUST include security
   considerations. Service SRV records SHOULD NOT be used in the absence
   of such specification.

In my, maybe all to limited mind, this already states clearly the use in
"that way" which I have tried to describe. I don't want to add
_anything_ to this concept.

The only thing I ask for is for a client to be able to authenticate a
host's certificate as a means to confirm that this host indeed is
assigned to the claimed service.

What is the alternative here?
As far as I can see, the only alternative is to blindly trust the DNS
server to return the correct host name.

I really don't want to be a pain here but I simply don't understand what
needs to be clarified or what the DNS peoples need to buy in on that is
not allready said in RFC 2782.

Any help from anybody here to understand this is highly appreciated.

Thanks

/Stefan

> -----Original Message-----
> From: Sam Hartman [mailto:hartmans-ietf@xxxxxxx]
> Sent: den 13 juni 2005 22:48
> To: Stefan Santesson
> Cc: Stephen Kent; ietf-pkix@xxxxxxxx; Tim Polk; housley@xxxxxxxxxxxx
> Subject: Re: Defining an SRV RR Other name in pkix
> 
> >>>>> "Stefan" == Stefan Santesson <stefans@xxxxxxxxxxxxx> writes:
> 
>     Stefan> Steve, I agree that it would be useful to have a close
>     Stefan> discussion with DNS folks, especially when developing
>     Stefan> appropriate security considerations.  But I'm not sure
>     Stefan> that is necessary for the decision to create this name
>     Stefan> form.
> 
> I think it very much is.  I believe we need to have the DNS community
> buy-in that the name should be used in that way.

Follow-Ups:
- Re: Defining an SRV RR Other name in pkix
  - From: Sam Hartman

Prev by Date: RE: 3280bis: CRL validation
Next by Date: RE: Defining an SRV RR Other name in pkix
Previous by thread: Re: Defining an SRV RR Other name in pkix
Next by thread: Re: Defining an SRV RR Other name in pkix
Index(es):
- Date
- Thread