Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard
Alessandro Vesely <vesely@tana.it> Fri, 27 November 2015 19:50 UTC
Return-Path: <vesely@tana.it>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D431A21BD for <ietf@ietfa.amsl.com>; Fri, 27 Nov 2015 11:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.007
X-Spam-Level:
X-Spam-Status: No, score=-3.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csUkGXVwbS9w for <ietf@ietfa.amsl.com>; Fri, 27 Nov 2015 11:50:57 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C89F1A21B6 for <ietf@ietf.org>; Fri, 27 Nov 2015 11:50:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1448653854; bh=E3W7sB7zTC2uHz95o1MsIG/wZZud0aaO2EYtMHPwzTo=; l=1073; h=Date:From:To:CC:References:In-Reply-To; b=rm95fpwrVQxzMgb++37dOjQkRuufsN3g0R13UwEcMyZuY2nOcJmKlfl9Gh2fXHGoN hTuXnLMrNFl01qWjT3jTnRMY0F5Fd7Ef+qB1Q/rdgeKxVx7TqXR0Rbyij9tHnjXfhA lX8dxfH/c8RpBeP///aARalSrWP8CRY/ev86GThw=
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.88] (pcale.tana [172.25.197.88]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Fri, 27 Nov 2015 20:50:54 +0100 id 00000000005DC044.000000005658B41E.00005B5C
Message-ID: <5658B41E.1050808@tana.it>
Date: Fri, 27 Nov 2015 20:50:54 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard
References: <20151120142925.18541.72151.idtracker@ietfa.amsl.com> <0C545746-E755-487D-8F0C-BB5981C2C5EE@vigilsec.com> <20151124055141.GD18315@mournblade.imrryr.org>
In-Reply-To: <20151124055141.GD18315@mournblade.imrryr.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/gjnazXrcUDQKvmAMMOsn0CGKY8s>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2015 19:50:59 -0000
Hi On Tue 24/Nov/2015 06:51:41 +0100 Viktor Dukhovni wrote: > > Section 3: > > 1. For DNS-ID and CN-ID identifier types the client MUST use one or > more of the following as "reference identifiers": (a) the right > hand side of the email address, (b) the hostname it used to open > the connection (without CNAME canonicalization). The client MAY > also use (c) a value securely derived from (a) or (b), such as > using "secure" DNSSEC validated lookup. > > The problem here is that "the right hand side of the email address" > is not clearly defined, which email address? It seems that the > email address in question here is that of the user (performing mail > submission or accessing his own mailbox). Also I would replace > "right hand side" with "domain part" (RFC 5322 email addresses are > <localpart@domainpart>). I quickly searched "vanity" in the list archive, to no avail. Section 6 misses a case where mail.example.net also serves user@example.com. Some guidance on how to check/configure vanity domains may be appropriate, IMHO. Ale
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Russ Housley
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Samir Srivastava
- SPAM: - Re: Last Call: <draft-ietf-uta-email-tls-… ComKal Networks
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Niels Dettenbach
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Randy Bush
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Randy Bush
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alexey Melnikov
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Mike StJohns
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… John C Klensin
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… JORDI PALET MARTINEZ
- Re: SPAM: - Re: Last Call: <draft-ietf-uta-email-… Samir Srivastava
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Leif Johansson
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Russ Housley
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… JORDI PALET MARTINEZ
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… stephen.farrell
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Julien ÉLIE
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alessandro Vesely
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alexey Melnikov
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… John C Klensin
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Viktor Dukhovni
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: Last Call: <draft-ietf-uta-email-tls-certs-05… Alessandro Vesely
- UTA: Server certificate management (Re: Last Call… Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Dave Cridland
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Alexey Melnikov
- Re: UTA: Server certificate management (Re: Last … Alexey Melnikov
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … Viktor Dukhovni
- Re: UTA: Server certificate management (Re: Last … Harald Alvestrand
- Re: UTA: Server certificate management (Re: Last … John C Klensin
- Re: UTA: Server certificate management (Re: Last … John R Levine
- Re: UTA: Server certificate management (Re: Last … Mark Andrews
- Re: UTA: Server certificate management (Re: Last … Joe Hildebrand
- Re: UTA: Server certificate management (Re: Last … John R Levine
- Re: UTA: Server certificate management (Re: Last … John Levine
- Re: UTA: Server certificate management (Re: Last … Alexey Melnikov
- Re: UTA: Server certificate management (Re: Last … Alessandro Vesely