Re: [certid] SRV-ID examples
Peter Saint-Andre <stpeter@stpeter.im> Tue, 30 November 2010 03:09 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B674228C176 for <certid@core3.amsl.com>; Mon, 29 Nov 2010 19:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.208
X-Spam-Level:
X-Spam-Status: No, score=-102.208 tagged_above=-999 required=5 tests=[AWL=-0.209, BAYES_00=-2.599, J_CHICKENPOX_72=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W5qRaEW6Af45 for <certid@core3.amsl.com>; Mon, 29 Nov 2010 19:09:09 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 7C49E28C113 for <certid@ietf.org>; Mon, 29 Nov 2010 19:09:09 -0800 (PST)
Received: from squire.local (ip-216-17-182-51.rev.frii.com [216.17.182.51]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 47EC54009B; Mon, 29 Nov 2010 20:21:24 -0700 (MST)
Message-ID: <4CF46B10.7060504@stpeter.im>
Date: Mon, 29 Nov 2010 20:10:08 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Dan Winship <dan.winship@gmail.com>
References: <4CE83D6B.1070007@gmail.com> <4CE8A40D.90005@stpeter.im> <4CE93375.9030408@gmail.com>
In-Reply-To: <4CE93375.9030408@gmail.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040105060702080203050704"
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] SRV-ID examples
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 03:09:10 -0000
Sorry about the delayed reply, and thanks for your persistence. On 11/21/10 7:57 AM, Dan Winship wrote: > On 11/20/2010 11:46 PM, Peter Saint-Andre wrote: >> On 11/20/10 2:28 PM, Dan Winship wrote: >>> draft-saintandre-tls-server-id-check-11, section 3.2 says: >>> >>> A certificate for the IMAP-accessible email server at >>> "mail.example.net" might include SRV-IDs of "_imap.mail.example.net" >>> and "_imaps.mail.example.net" (see [EMAIL-SRV]) and a DNS-ID of >>> "mail.example.net". >>> >>> As I understand it, the SRV-ID is based on the source domain, not the >>> derived domain, and so "_imap.mail.example.net" would only be correct if >>> you were expecting clients to do a SRV lookup for >>> "_imap._tcp.mail.example.net". But the more usual case would be doing a >>> lookup for "_imap._tcp.example.net", in which case the corresponding >>> SRV-ID would "_imap.example.net". Right? >> >> Why assume so? >> >> Although my email address is stpeter@stpeter.im, my email server is >> "mailhost.stpeter.im" and I have explicitly configured my email client >> to connect to that server. In that case, "mailhost.stpeter.im" is a >> source domain. > > Right, but there would be no SRV-IDs involved in that case, because your > email client didn't need to do a SRV lookup. Not necessarily. Let's say that I've delegated my XMPP application to Google's hosting service at gmail.com. So in my client I hardcode the equivalent of "for stpeter.im, connect to gmail.com". But my client might still need to do an SRV lookup for the target domain, leading to results like this: $ dig +short -t SRV _xmpp-client._tcp.gmail.com 20 0 5222 talk1.l.google.com. 20 0 5222 talk2.l.google.com. 20 0 5222 talk3.l.google.com. 20 0 5222 talk4.l.google.com. 5 0 5222 talk.l.google.com. > Maybe I'm misusing the source/derived domain terminology, so forget > about that part... Well, it's important to understand the terminology so we're sure that we're talking about the same things. So far I think we might be talking about different things, but both are important. > What I was trying to say is that the example is weird, because it seems > like it's probably talking about the IMAP server that is used by the guy > whose email address is "bob@example.net", but actually it's talking > about the IMAP server that is used by "alice@MAIL.example.net". > "bob@example.net"'s IMAP server would have to present a SRV-ID of > "_imap.example.net", not "_imap.mail.example.net", regardless of the > hostname of the server it was running on (assuming I'm reading > draft-daboo-srv-email-05 and RFC 4985 right). I think it would be helpful to have one example of foo.example.tld servicing addresses of the form user@example.tld and one example of foo.example.tld servicing addresses of the form user@foo.example.tld, because both approaches are legitimate and it's good to show the differences between the two. Thus I suggest: ### 3.2. Examples Consider a simple website at "www.example.com", which is not discoverable via DNS SRV lookups. A certificate for this service might include only a DNS-ID of "www.example.com" (and, strictly as a fallback for existing client software, a CN-ID of "www.example.com"). Consider an IMAP-accessible email server at "mail.example.net" servicing email addresses of the form "user@example.net" and discoverable via DNS SRV lookups on the "example.net" domain. A certificate for this service might include SRV-IDs of "_imap.example.net" and "_imaps.example.net" (see [EMAIL-SRV]) along with a DNS-ID of "example.net". Consider an XMPP-compatible instant messaging server at "im.example.org" servicing IM addresses of the form "user@im.example.org" and discoverable via DNS SRV lookups on the "im.example.org" domain. A certificate for this service might include SRV-IDs of "_xmpp-client.im.example.org" and "_xmpp- server.im.example.org" (see [XMPP]), a DNS-ID of "im.example.org", and an XMPP-specific "XmppAddr" of "im.example.org" (see [XMPP]). ### Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] SRV-ID examples Dan Winship
- Re: [certid] SRV-ID examples Peter Saint-Andre
- Re: [certid] SRV-ID examples Dan Winship
- Re: [certid] SRV-ID examples Peter Saint-Andre