Re: [hybi] DNS SRV for WebSocket
Dave Cridland <dave@cridland.net> Mon, 28 March 2011 10:55 UTC
Return-Path: <dave@cridland.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DC5F3A63C9 for <hybi@core3.amsl.com>; Mon, 28 Mar 2011 03:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.389
X-Spam-Level:
X-Spam-Status: No, score=-2.389 tagged_above=-999 required=5 tests=[AWL=-0.090, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBYc8jrQ2Wpw for <hybi@core3.amsl.com>; Mon, 28 Mar 2011 03:55:29 -0700 (PDT)
Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [IPv6:2001:470:1f09:882:2e0:81ff:fe29:d16a]) by core3.amsl.com (Postfix) with ESMTP id 473523A635F for <hybi@ietf.org>; Mon, 28 Mar 2011 03:55:29 -0700 (PDT)
Received: from localhost (peirce.dave.cridland.net [127.0.0.1]) by peirce.dave.cridland.net (Postfix) with ESMTP id 6C01F116808F; Mon, 28 Mar 2011 11:57:05 +0100 (BST)
X-Virus-Scanned: Debian amavisd-new at peirce.dave.cridland.net
Received: from peirce.dave.cridland.net ([127.0.0.1]) by localhost (peirce.dave.cridland.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0YYxqekDgeE; Mon, 28 Mar 2011 11:57:03 +0100 (BST)
Received: from puncture (puncture.dave.cridland.net [IPv6:2001:470:1f09:882:221:85ff:fe3f:1696]) by peirce.dave.cridland.net (Postfix) with ESMTPA id 7519C1168067; Mon, 28 Mar 2011 11:57:03 +0100 (BST)
References: <BANLkTi=G6bc=FquLM8agKWojmDkD9FohxA@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F04027B925A@SISPE7MB1.commscope.com> <4126.1301298937.410511@puncture> <8B0A9FCBB9832F43971E38010638454F04027B92DD@SISPE7MB1.commscope.com>
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F04027B92DD@SISPE7MB1.commscope.com>
MIME-Version: 1.0
Message-Id: <4126.1301309823.420847@puncture>
Date: Mon, 28 Mar 2011 11:57:03 +0100
From: Dave Cridland <dave@cridland.net>
To: "Thomson, Martin" <Martin.Thomson@commscope.com>, Iñaki Baz Castillo <ibc@aliax.net>, Server-Initiated HTTP <hybi@ietf.org>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
Subject: Re: [hybi] DNS SRV for WebSocket
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 10:55:30 -0000
On Mon Mar 28 11:36:32 2011, Thomson, Martin wrote: > On 2011-03-28 at 09:55:37, Dave Cridland wrote: > > They are generally not used for port selection, but to allow the > > diversion of a service from one name (the domain) to another (the > > providing host). > > Security on that front is a little iffy. See > draft-barnes-hard-problem. Actually it's straightforward from a technical standpoint, until you delegate services across administrative boundaries. Again, the XMPP world has been successfully authenticating using X.509 certificates with SRV records in play for many years. Richard's been working closely with the XMPP community to find a solution to the "HARD" problem of cross-boundary delegation, but meanwhile I'd note that the problem exists with HTTP just as much as with XMPP and other SRV-using protocols, the primary distinction being that there is no explicit delegation visible, so people don't notice it as much. (Which is odd, since in HTTP there is a far *higher* delegation level for secure sites, as few as there are). The actual problem only exists in the case where the private key cannot be given to the hosting organization, and I'd note is easier to solve if SRV records exist, thanks to DNSSEC (and the ability to then validate the delegation to an intermediate indentity one can use in the certificate). So in summary, SRV records actually simplify the problem. Dave. -- Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
- [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Greg Wilkins
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Thomson, Martin
- Re: [hybi] DNS SRV for WebSocket Dave Cridland
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Thomson, Martin
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Thomson, Martin
- Re: [hybi] DNS SRV for WebSocket Dave Cridland
- Re: [hybi] DNS SRV for WebSocket Dave Cridland
- Re: [hybi] DNS SRV for WebSocket Bruce Atherton
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Bjoern Hoehrmann
- Re: [hybi] DNS SRV for WebSocket Dave Cridland
- Re: [hybi] DNS SRV for WebSocket Bruce Atherton
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Greg Wilkins
- Re: [hybi] DNS SRV for WebSocket Dave Cridland
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Roy T. Fielding
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket Patrick McManus
- Re: [hybi] DNS SRV for WebSocket Roy T. Fielding
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo
- Re: [hybi] DNS SRV for WebSocket S Moonesamy
- Re: [hybi] DNS SRV for WebSocket Iñaki Baz Castillo