On Sun, 2010-04-04 at 03:19 -0400, Matt McCutchen wrote: > The real problem there is that TLS uses DNS names and thus does not > distinguish different services on the same server. Using RFC 4985 > SRVNames such as _SMTP.example.com in certificates would solve that.
I meant to add: Server Name Indication should use SRVNames too. That way, an attempt to connect a client to the wrong service can be caught at the TLS level even if the same certificate is used, since the server_name extension is integrity-protected by the Finished hash. -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
