Skip to content

Commit

Permalink
Update draft-ietf-wimse-s2s-protocol.md
Browse files Browse the repository at this point in the history
Co-authored-by: Yaron Sheffer <[email protected]>
  • Loading branch information
jsalowey and yaronf authored Dec 19, 2024
1 parent 4b57547 commit 5c056d6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion draft-ietf-wimse-s2s-protocol.md
Original file line number Diff line number Diff line change
Expand Up @@ -544,7 +544,7 @@ WIMSE server certificates SHOULD have the `id-kp-serverAuth` extended key usage

## Server Name Validation {#server-name}

If the WIMSE client uses a hostname to connect to the server and the server certificate contain a DNS SAN the client MUST perform standard host name validation ({{Section 6.3 of RFC9525}}) unless it is configured with the information necessary to validate the peer's WIMSE identity. If the client did not perform standard host name validation then the WIMSE client SHOULD further use the WIMSE workload identifier to validate the server. The host portion of the URI representation of the WIMSE workload identity is NOT treated as a host name as specified in section 6.4 of {{!RFC9525}} but rather as a trust domain. The server identity is encoded in the path portion of the WIMSE workload identifier in a deployment specific way. Validating the WIMSE workload identity could be a simple match on the trust domain and path portions of the identifier or validation may be based on the specific details on how the identifier is constructed. The path portion of the WIMSE identifier MUST always be considered in the scope of the trust domain.
If the WIMSE client uses a hostname to connect to the server and the server certificate contain a DNS SAN the client MUST perform standard host name validation ({{Section 6.3 of RFC9525}}) unless it is configured with the information necessary to validate the peer's WIMSE identity. If the client did not perform standard host name validation then the WIMSE client SHOULD further use the WIMSE workload identifier to validate the server. The host portion of the WIMSE workload identifier is NOT treated as a host name as specified in section 6.4 of {{!RFC9525}} but rather as a trust domain. The server identity is encoded in the path portion of the WIMSE workload identifier in a deployment specific way. Validating the WIMSE workload identity could be a simple match on the trust domain and path portions of the identifier or validation may be based on the specific details on how the identifier is constructed. The path portion of the WIMSE identifier MUST always be considered in the scope of the trust domain.

## Client Authorization Using the WIMSE Identity {#client-name}

Expand Down

0 comments on commit 5c056d6

Please sign in to comment.