[dane] [Errata Held for Document Update] RFC7672 (6283)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 16 January 2024 14:57 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C3EC14CF05; Tue, 16 Jan 2024 06:57:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N416GkfRdyJi; Tue, 16 Jan 2024 06:57:25 -0800 (PST)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E00C51ABA6; Tue, 16 Jan 2024 06:26:10 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id CFBA41BA3D9F; Tue, 16 Jan 2024 06:26:10 -0800 (PST)
To: ietf-dane@dukhovni.org, ietf-dane@dukhovni.org, ietf@hardakers.net
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: paul.wouters@aiven.io, iesg@ietf.org, dane@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240116142610.CFBA41BA3D9F@rfcpa.amsl.com>
Date: Tue, 16 Jan 2024 06:26:10 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/SxI5VFsBYn0B1fPpNV-Kmj3bwLo>
Subject: [dane] [Errata Held for Document Update] RFC7672 (6283)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2024 14:57:26 -0000
The following errata report has been held for document update for RFC7672, "SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6283 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Viktor Dukhovni <ietf-dane@dukhovni.org> Date Reported: 2020-09-08 Held by: Paul Wouters (IESG) Section: 3.2.2 Original Text ------------- 3.2.2. DANE-TA(2) Name Checks To match a server via a TLSA record with certificate usage DANE-TA(2), the client MUST perform name checks to ensure that it has reached the correct server. In all DANE-TA(2) cases, the SMTP client MUST employ the TLSA base domain as the primary reference identifier for matching the server certificate. TLSA records for MX hostnames: If the TLSA base domain was obtained indirectly via a "secure" MX lookup (including any CNAME-expanded name of an MX hostname), then the original next-hop domain used in the MX lookup MUST be included as a second reference identifier. The CNAME-expanded original next-hop domain MUST be included as a third reference identifier if different from the original next-hop domain. When the client MTA is employing DANE TLS security despite "insecure" MX redirection, the MX hostname is the only reference identifier. Corrected Text -------------- 3.2.2. DANE-TA(2) Name Checks To match a server via a TLSA record with certificate usage DANE-TA(2), the client MUST perform name checks to ensure that it has reached the correct server. In all DANE-TA(2) cases, the SMTP client MUST employ the TLSA base domain as the primary reference identifier for matching the server certificate. TLSA records for MX hostnames: If the TLSA base domain was obtained indirectly via a "secure" MX lookup (including any CNAME-expanded name of an MX hostname), then the original next-hop domain used in the MX lookup MUST be included as a second reference identifier. The CNAME-expanded original next-hop domain MUST be included as a third reference identifier if different from the original next-hop domain. When the client MTA is employing DANE TLS security despite "insecure" MX redirection, the TLSA base domain is the only reference identifier. Notes ----- The first paragraph of 3.2.2 makes it clear that the TLSA base domain is the primary reference identifier in all cases. The last sentence of the second paragraph inadvertently contradicts this in the case the the TLSA base domain is a CNAME expansion of the input MX hostname. The corrected text replaces "... the MX hostname is the only reference identifier" with "... the TLSA base domain is the only reference identifier". -------------------------------------- RFC7672 (draft-ietf-dane-smtp-with-dane-19) -------------------------------------- Title : SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Publication Date : October 2015 Author(s) : V. Dukhovni, W. Hardaker Category : PROPOSED STANDARD Source : DNS-based Authentication of Named Entities Area : Security Stream : IETF Verifying Party : IESG
- [dane] [Errata Held for Document Update] RFC7672 … RFC Errata System