Hello,

I was asked to review 'draft-ietf-scim-events' for DNSDIR because Section 4 mentions DNS-ID and DANE.

The line in question says:

   The client MUST perform a TLS/SSL server certificate check using DNS-ID
   [RFC6125] and/or DANE [RFC6698].

Several questions pop into my head while reading this:

- What happens if the two methods disagree?
- If none of them methods works, the client should ... abort (I guess, it's not spelled out in that paragraph?)
- Is this the only way to validate the server cert? What if there is some off-line method, is that prohibited? Or any others?
- I'm slightly less familiar with DNS-ID, but for DANE you need to publish a fairly precisely named record, what is that in this case? Maybe a similar question can be asked for DNS-ID?
- At least DANE requires DNSSEC, does that make DNSSEC a requirement for scim?

These might all have good answers, but this one line in the draft makes it feel a bit terse.

Kind regards,
Miek