Re: [dane] Review of DANE SMTP draft

Viktor Dukhovni <viktor1dane@dukhovni.org> Sat, 15 March 2014 02:42 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BADE1A026B for <dane@ietfa.amsl.com>; Fri, 14 Mar 2014 19:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.871
X-Spam-Level: **
X-Spam-Status: No, score=2.871 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPOOF_COM2COM=2.048, SPOOF_COM2OTH=2.723] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqVz9mlt3zIM for <dane@ietfa.amsl.com>; Fri, 14 Mar 2014 19:42:11 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id E47551A0230 for <dane@ietf.org>; Fri, 14 Mar 2014 19:42:10 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id A553F2AB259; Sat, 15 Mar 2014 02:42:03 +0000 (UTC)
Date: Sat, 15 Mar 2014 02:42:03 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140315024203.GW21390@mournblade.imrryr.org>
References: <C28AB0DE-0391-4EA3-8312-DC2D2F7FD167@isode.com> <20140314052342.GQ21390@mournblade.imrryr.org> <m3fvmkb7fu.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <m3fvmkb7fu.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3OvHRq3Pz6xpP8Wu3sT5Swub1P8
Subject: Re: [dane] Review of DANE SMTP draft
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 02:42:12 -0000

On Fri, Mar 14, 2014 at 09:01:48PM -0400, James Cloos wrote:

> > The folks at Postini have a wildcard cert for "*.psmtp.com" and
> > clients publish MX records of the form:
> >
> >   verisign.com.           IN      MX      100 verisign.com.s6a1.psmtp.com.
> >   verisign.com.           IN      MX      200 verisign.com.s6a2.psmtp.com.
> >   verisign.com.           IN      MX      300 verisign.com.s6b1.psmtp.com.
> >   verisign.com.           IN      MX      400 verisign.com.s6b2.psmtp.com.
> 
> For some historical context, mozilla's original wildcarded ssl implement-
> ation also allowed an *. to match any number of labels.
> 
> Several sites were broken by the change to limit a wildcard to a single label.

I take it you're suggesting to not perpetuate Postini's abuse of
wildcard certs?  Implementations might choose to be more liberal,
but servers can't expect multi-label wildcard support.  Right?

-- 
	Viktor.