IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Niall O'Reilly <Niall.oReilly@ucd.ie> Tue, 01 March 2011 10:24 UTC

Return-Path: <Niall.oReilly@ucd.ie>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C13813A6784 for <dnsext@core3.amsl.com>; Tue, 1 Mar 2011 02:24:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoZxyAu7h7AQ for <dnsext@core3.amsl.com>; Tue, 1 Mar 2011 02:24:43 -0800 (PST)
Received: from smtp.ucd.ie (zebra.ucd.ie [137.43.231.111]) by core3.amsl.com (Postfix) with ESMTP id B021E3A6767 for <dnsext@ietf.org>; Tue, 1 Mar 2011 02:24:42 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsJAJFYbE2JK2zZ/2dsb2JhbACCQqQIdLsJhWEEj1I
X-IronPort-AV: E=Sophos;i="4.62,246,1297036800"; d="scan'208";a="2734578"
Received: from dhcp-892b6cd9.ucd.ie ([137.43.108.217]) by smtp.ucd.ie with ESMTP/TLS/AES128-SHA; 01 Mar 2011 10:25:45 +0000
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Niall O'Reilly <Niall.oReilly@ucd.ie>
In-Reply-To: <302DAD77E927757D3DEA05DF@nimrod.local>
Date: Tue, 01 Mar 2011 10:25:45 +0000
Content-Transfer-Encoding: 7bit
Message-Id: <98B2460F-C958-4C52-BF99-B64EEC0637A8@ucd.ie>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local>
To: Alex Bligh <alex@alex.org.uk>
X-Mailer: Apple Mail (2.1082)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2011 10:24:43 -0000

On 1 Mar 2011, at 09:28, Alex Bligh wrote:

> For that indirection to be applied to http (e.g. use SRV records) you'd
> need a change at the client end (to use SRV records or whatever) but also
> at the server end, so if a.example.com = b.example.com, and both have SRV
> records to c.example.com, then server c must use the cert for a or b as
> appropriate.

	I'm thinking of a different way, which appears to avoid this problem.

	SRV maps a domain name (OK, a service,transport,name triple) to
	a (set of) host name(s).  If this mapping is provably legitimate
	(DNSSEC), then the browser need only verify that the cert matches
	the final host name.  Matching what I've chosen to call the
	'domain-part' of the http URL is no longer useful.  Used in this way,
	SRV gives us aggregation of certificates: one per target host rather
	than one per secure hosted web site.

	I may be missing something, but I think this needs only client-side
	code changes.  Service-side, certificate administration becomes
	different, but not code.

	ATB
	Niall

v2.23.0 | Report a Bug | By Email