IETF Logo Mail Archive

Re: RFC 3207 (STARTTLS) question

Cyrus Daboo <daboo@isamet.com> Mon, 22 August 2005 22:59 UTC

Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j7MMxYZD005706; Mon, 22 Aug 2005 15:59:34 -0700 (PDT) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j7MMxYiQ005703; Mon, 22 Aug 2005 15:59:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from darius.cyrusoft.com (darius.cyrusoft.com [63.163.82.2]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j7MMxXi8005683 for <ietf-smtp@imc.org>; Mon, 22 Aug 2005 15:59:33 -0700 (PDT) (envelope-from daboo@isamet.com)
Received: from ninevah.cyrusoft.com (pool-141-158-121-37.pitt.east.verizon.net [141.158.121.37]) (authenticated bits=0) by darius.cyrusoft.com (8.12.9/8.12.9) with ESMTP id j7MMuCuG003310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 22 Aug 2005 18:56:14 -0400
Date: Mon, 22 Aug 2005 18:59:26 -0400
From: Cyrus Daboo <daboo@isamet.com>
To: Harald Tveit Alvestrand <harald@alvestrand.no>, ietf-smtp@imc.org
Subject: Re: RFC 3207 (STARTTLS) question
Message-ID: <B5A4F970E080C4726D9675C2@ninevah.cyrusoft.com>
In-Reply-To: <3DE6D776E6459703EA102867@B50854F0A9192E8EC6CDA126>
References: <3DE6D776E6459703EA102867@B50854F0A9192E8EC6CDA126>
X-Mailer: Mulberry/4.0.3 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Status: No, hits=0.0 tests=none
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

Hi Harald,

--On August 22, 2005 12:02:49 PM -0700 Harald Tveit Alvestrand 
<harald@alvestrand.no> wrote:

> On reviewing T. Schorr's suggestion, I read this paragraph a few times:
>
>    The decision of whether or not to believe the authenticity of the
>    other party in a TLS negotiation is a local matter.  However, some
>    general rules for the decisions are:
>
>    -  A SMTP client would probably only want to authenticate an SMTP
>       server whose server certificate has a domain name that is the
>       domain name that the client thought it was connecting to.
>
> Now... I have a server that is an MX host for half-a-dozen domains, and
> has about 3 A records pointing to it (why is a long history).
>
> How does my server know which certificate to present to the client, so
> that the above general rule is satisfied?
>
> (For the MX case, the answer might be "content of the MX record" rather
> than "domain that contains the MX record" - doesn't help for the A case,
> and is not obvious from the text)
>
> Am I missing something obvious?

No - this is a 'known' problem. Its an issue for IMAP and other types of 
services too, where people want to run virtual domains off a single server.

<draft-ietf-tls-rfc3546bis-01.txt> (Section 3.1) attempts to address this 
by extending TLS to allow the client to specify the server name it is using 
during the TLS handshake, thus allowing the server to pick the appropriate 
certificate for that name.

-- 
Cyrus Daboo

v2.23.0 | Report a Bug | By Email