Re: [certid] SRV-ID examples
Dan Winship <dan.winship@gmail.com> Sun, 21 November 2010 14:57 UTC
Return-Path: <dan.winship@gmail.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFE463A6873 for <certid@core3.amsl.com>; Sun, 21 Nov 2010 06:57:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.607
X-Spam-Level:
X-Spam-Status: No, score=-3.607 tagged_above=-999 required=5 tests=[AWL=-2.530, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, J_CHICKENPOX_72=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DW5hXkui9iZq for <certid@core3.amsl.com>; Sun, 21 Nov 2010 06:57:53 -0800 (PST)
Received: from linode.mysterion.org (li168-117.members.linode.com [173.230.128.117]) by core3.amsl.com (Postfix) with ESMTP id F16D33A686C for <certid@ietf.org>; Sun, 21 Nov 2010 06:57:52 -0800 (PST)
Received: from x61.home.mysterion.org (c-76-97-71-164.hsd1.ga.comcast.net [76.97.71.164]) by linode.mysterion.org (Postfix) with ESMTPSA id 26786349D8; Sun, 21 Nov 2010 14:58:46 +0000 (UTC)
Message-ID: <4CE93375.9030408@gmail.com>
Date: Sun, 21 Nov 2010 09:57:57 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101103 Fedora/1.0-0.33.b2pre.fc14 Thunderbird/3.1.6
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4CE83D6B.1070007@gmail.com> <4CE8A40D.90005@stpeter.im>
In-Reply-To: <4CE8A40D.90005@stpeter.im>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] SRV-ID examples
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Nov 2010 14:57:54 -0000
On 11/20/2010 11:46 PM, Peter Saint-Andre wrote: > On 11/20/10 2:28 PM, Dan Winship wrote: >> draft-saintandre-tls-server-id-check-11, section 3.2 says: >> >> A certificate for the IMAP-accessible email server at >> "mail.example.net" might include SRV-IDs of "_imap.mail.example.net" >> and "_imaps.mail.example.net" (see [EMAIL-SRV]) and a DNS-ID of >> "mail.example.net". >> >> As I understand it, the SRV-ID is based on the source domain, not the >> derived domain, and so "_imap.mail.example.net" would only be correct if >> you were expecting clients to do a SRV lookup for >> "_imap._tcp.mail.example.net". But the more usual case would be doing a >> lookup for "_imap._tcp.example.net", in which case the corresponding >> SRV-ID would "_imap.example.net". Right? > > Why assume so? > > Although my email address is stpeter@stpete.rim, my email server is > "mailhost.stpeter.im" and I have explicitly configured my email client > to connect to that server. In that case, "mailhost.stpeter.im" is a > source domain. Right, but there would be no SRV-IDs involved in that case, because your email client didn't need to do a SRV lookup. Maybe I'm misusing the source/derived domain terminology, so forget about that part... What I was trying to say is that the example is weird, because it seems like it's probably talking about the IMAP server that is used by the guy whose email address is "bob@example.net", but actually it's talking about the IMAP server that is used by "alice@MAIL.example.net". "bob@example.net"'s IMAP server would have to present a SRV-ID of "_imap.example.net", not "_imap.mail.example.net", regardless of the hostname of the server it was running on (assuming I'm reading draft-daboo-srv-email-05 and RFC 4985 right). Likewise, if you had mail-related SRV records on stpeter.im so that you could configure your email client by typing in just your email address, then _imap._tcp.stpeter.im would point to mailhost.stpeter.im, and your IMAP server would present a certificate with a DNS-ID of mailhost.stpeter.im and a SRV-ID of _imap.stpeter.im. -- Dan
- [certid] SRV-ID examples Dan Winship
- Re: [certid] SRV-ID examples Peter Saint-Andre
- Re: [certid] SRV-ID examples Dan Winship
- Re: [certid] SRV-ID examples Peter Saint-Andre