[Anima] Rob: Re: Errata 6642: Re: Registrar to MASA connections: SNI required

[Toerless Eckert <tte@cs.fau.de>]

Rob: 

------ Current text ---------

Section 5.4 says:

Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is 
REQUIRED.  TLS 1.3 (or newer) SHOULD be available.
It should say:

TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if 
TLS 1.3 is not available.
The Server Name Indicator (SNI) is required when the Registrar 
communicates with the MASA in order for the MASA to be hosted in 
a modern multi-tenant TLS infrastructure.

------- Please replace with ---------

Section 5.4 says:

Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is 
REQUIRED.  TLS 1.3 (or newer) SHOULD be available.

Append after that paragraph:

If the MASA is known to the registrar by its DNS hostname,
the registrar MUST send that MASA DNS hostname in the
TLS "Server Name Indicator" (SNI) "server_name" option
[RFC6066] whether TLS 1.2 [RFC5246] or TLS 1.3 [RFC8446] is used.

SNI is required when the MASA is hosted in a modern multi-tenant
TLS infrastructure where it shares an IP or IPv6 address with other HTTPS services.

--------------------------------------

Justification: Michael's alternative to "always send SNI"
is not permitted according to RFC6066 (just found that sentence):

"Literal IPv4 and IPv6 addresses are not permitted in "HostName"

Hence it is prudent to condition the requirement to send SNI
on the condition (DNS hostname)  under which it not only makes sense, but is
also known to be permitted by RFC6066 - so implementers do not
need to find that sentence in RFC6066.

Cheers
    Toerless