/
950.txt
29 lines (23 loc) · 1.25 KB
/
950.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[FIG(quote)[
[FIGCAPTION[
[1] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]]
([TIME[2015-03-13 22:27:53 +09:00]] 版)
<https://tools.ietf.org/html/rfc6125#section-1.8>
]FIGCAPTION]
> reference identifier: An identifier, constructed from a source
> domain and optionally an application service type, used by the
> client for matching purposes when examining presented identifiers.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]]
([TIME[2015-05-29 03:22:56 +09:00]] 版)
<https://tools.ietf.org/html/rfc7525#section-6.1>
]FIGCAPTION]
> If the host name is discovered indirectly and in an insecure manner
> (e.g., by an insecure DNS query for an MX or SRV record), it SHOULD
> NOT be used as a reference identifier '''['''RFC6125''']''' even when it matches
> the presented certificate. This proviso does not apply if the host
> name is discovered securely (for further discussion, see '''['''DANE-SRV''']'''
> and '''['''DANE-SMTP''']''').
]FIG]