On 7/29/20 9:53 AM, Bastian Blank wrote: > However, please describe how you would implement the requirements of RFC > 6125 section 6[2]? You can't use SRV records without support for useful > server authentication.
Full ack. That's something most people overlook / ignore when naively asking for support of SRV RRs: There's no cryptographic binding between a configured name and the public key of the TLS server. (I see this discussion quite often in the LDAP world.) An RFC could specify such a name binding, e.g. by specifying a subjectAltName form based on URLs (GeneralName.uniformResourceIdentifier). But even if such an RFC exists public CAs would have to check the validity of such a name / URL before issuing a TLS server cert. Which would be another can-of-worms... Ciao, Michael.
