Re: Additional reviews of draft-daboo-srv-email-02.txt needed

["Vijay K. Gurbani" <vkg@alcatel-lucent.com>]

Shumon Huque wrote:
> Quite true, although an important question is how the domain part
> is advertised in the certificate. Most likely it will be put in
> the the common name or the subjectaltname's DNSname field. But
> in many cases that poses a security problem, if other services
> unrelated to IMAP (or POP3 and submission) are also hosted at
> the domain part. If we issue an "example.com" certificate to the
> IMAP service, it could use that to impersonate any TLS service at
> that domain unrelated to IMAP (eg. jabber, https, etc).

That is quite true (though I am not sure whether it is
"impersonation", per se; after all, it is a signed and issued
certificate.)

> I'm not sure we have a good practical solution to this problem.

The notion of tying an identity in the certificate to a specific
use is reasonable, I think.  The way we did this in our SIP
work was to have a SIP-specific extended key usage (EKU) -- see
http://tools.ietf.org/html/draft-ietf-sip-eku-05.

However, EKUs have their own set of emotional baggage,
including the fact that existing certificates will not have
the specific extension specified.

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
Web:   http://ect.bell-labs.com/who/vkg/