RFC 4985, "Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name", August 2007Source of RFC: pkix (sec)
See Also: RFC 4985 w/ inline errata
Errata ID: 2520
Publication Format(s) : TEXT
Reported By: Stefan Santesson
Date Reported: 2010-09-14
Verifier Name: Tim Polk
Date Verified: 2011-03-09
Section 2 says:
Name The DNS domain name of the domain where the specified service is located.
It should say:
Name A DNS domain name, representing a domain for which the certificate issuer has asserted that the certified subject is a legitimate provider of the identified service.
The current text is ambiguous compared with the defined meaning of this name form given in the RFC.
The definition of this component is given in the overall definition as:
"The content of the components of this name form MUST be consistent
with the corresponding definition of these components in an SRV RR
according to RFC 2782 [N3]."
And later in the same section:
"The purpose of the SRVName is limited to authorization of
service provision within a domain."
The changed text makes it clear that the domain is the domain where the certified host is a legitimate service provider, which may or may not be the domain where the same host is located. Thus the changed text harmonize with the rest of the document.