IETF Logo Mail Archive

Re: UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)

"John Levine" <johnl@taugh.com> Fri, 04 December 2015 03:53 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 451501B2CA3 for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2015 19:53:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.037
X-Spam-Level:
X-Spam-Status: No, score=-1.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nlu01vPFvru for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2015 19:53:28 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298F81B2CA2 for <ietf@ietf.org>; Thu, 3 Dec 2015 19:53:28 -0800 (PST)
Received: (qmail 20499 invoked from network); 4 Dec 2015 03:53:26 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 4 Dec 2015 03:53:26 -0000
Date: Fri, 04 Dec 2015 03:53:04 -0000
Message-ID: <20151204035304.37360.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
In-Reply-To: <5660AD34.5010208@alvestrand.no>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/P7MKbMshnxhEPN4UPVuyU8HsndE>
Cc: harald@alvestrand.no
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 03:53:29 -0000

>The "technical omission" here is "using 6186 together with mail servers
>supporting a high number of domains is going to be painful, and this
>document doesn't say how to solve it".

Wait a minute.  If you don't use the SRV-IDs, which you don't need if
use DNSSEC on the SRV records, 6186 scales just fine.  No SNI, nothing
but SRV records that have the domain name that should match the DNS-ID
the server presents.  What am I missing?

On the other hand, if you need the SRV-ID records, a server that
supports two domains is going to be just as schrod if the domains
don't happen to bear a relationship to the DNS-ID that CAs can verify.

R's,
John

v2.23.0 | Report a Bug | By Email