[Dime] Issue39: What to verify in TLS certificates
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Dime] Issue39: What to verify in TLS certificates
If we use subjectAltName for a postcheck for TLS certificates in the following way:
a) dNSName contains the name of the domain, the host claims to be in (OriginRealm in CER/CEA)
b) otherName contains the Id of the application, which the host claims to host for the realm specified in a)
Do we need to verify that the TLS certificate is valid for the domain of the server which was returned by the DNS query as well? It doesn't seem necessary to me, afterall what we care is that the host is valid to provide a given service for a given domain.
As an example if we are interested in getting serviceA for domainA and if at the end of DNS queries we end up with host5.thirdpartydiamnetwork.com, are we really interested that we have a valid certificate for the domain thirdpartydiamnetwork.com?
Currently, in RFC3588 we have the following:
If the server is using a site certificate, the domain name in the query and the domain name in the replacement field MUST both be valid based on the site certificate handed out by the server in the TLS or IKE exchange.
Does that text refer to the type of usage I think as unnecessary?
Thanks,
Tolga
_______________________________________________
DiME mailing list
DiME at ietf.org
https://www1.ietf.org/mailman/listinfo/dime
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
