IETF Logo Mail Archive

Re: [TLS] MTI extensions?

Jeffrey Walton <noloader@gmail.com> Sun, 15 March 2015 21:52 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82E91A1B92 for <tls@ietfa.amsl.com>; Sun, 15 Mar 2015 14:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUoG5OgyFGXn for <tls@ietfa.amsl.com>; Sun, 15 Mar 2015 14:52:13 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72F641A1B8A for <tls@ietf.org>; Sun, 15 Mar 2015 14:52:13 -0700 (PDT)
Received: by igbue6 with SMTP id ue6so26494395igb.1 for <tls@ietf.org>; Sun, 15 Mar 2015 14:52:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=UwePxwU+wf4Ug1zZW+pa0e0R1Fk0dmwbnFjgWdjtJ8E=; b=XHIzv+ORa+mj1VO6H/PJ5Ju7E4cZ2scYzEAXEII2K9a2A/+iMIrF6uEDyNItYNt1jm 1CcQbod6FEPDRNTuXrSJzNSr9vu/3hKKXA6HEe/evdaANXhQhQmk9n+zoEeIbniwJwP2 ovA8s0jSwXYtF/Tx3fkFVW8luIHLYWKrmPEl7TCF7fZol/X3p//McVwd4XnshkIwmL4F 5bI7qC95EsqZ3C0AxaqJYmTbo9SUGDAwKUh0DU+CW5JUQa81Py3lFxfRon7IP224cMBn Qt6PRRhxKImOJT022tlkMuVL6cQPzfiqga8NfdcXFkSf2cBJdoPI+jdxbOBBtQorpumj RrbA==
MIME-Version: 1.0
X-Received: by 10.50.30.130 with SMTP id s2mr103984416igh.11.1426456332978; Sun, 15 Mar 2015 14:52:12 -0700 (PDT)
Received: by 10.36.81.15 with HTTP; Sun, 15 Mar 2015 14:52:12 -0700 (PDT)
In-Reply-To: <20150315212843.GU27479@mournblade.imrryr.org>
References: <201503140212.53255.davemgarrett@gmail.com> <CABkgnnVxV3W5vMgUwCPGVzQYFAsmv4cY18xECQRbHu1QVdW_tQ@mail.gmail.com> <201503151659.02311.davemgarrett@gmail.com> <CABcZeBO6av8u2QN-aASjADw088eAN6hCFgAaAgQP9ECH0BrZSw@mail.gmail.com> <20150315212843.GU27479@mournblade.imrryr.org>
Date: Sun, 15 Mar 2015 17:52:12 -0400
Message-ID: <CAH8yC8nNiLZoYgds=6iK8UyGUNhcy9uyAM5ciAA_HFzP6+7z=A@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/44DfC9BYDi_P9nnFCCTkuek6_rI>
Subject: Re: [TLS] MTI extensions?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 21:52:14 -0000

> This is a significant consideration for SMTP with DANE, because
> clients use the TLSA base domain (typically MX host name) in the
> SNI message, but will also accept other names (typically the
> recipient domain for which the server is an MX host).  The server
> may have just one "UCC" certificate for the recipient domain, and
> MUST NOT abort the connection just because the client seems to want

I think cases like this should be considered further. There's too many
open questions surrounding use cases like this.

Jeff

On Sun, Mar 15, 2015 at 5:28 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> On Sun, Mar 15, 2015 at 02:13:14PM -0700, Eric Rescorla wrote:
>
>> SNI might be plausible as a MUST implement but there are plenty of cases
>> where it's not sensible to be MUST send, as in where there is no server
>> hostname. E.g., WebRTC.
>
> Furthermore, even when SNI is sent, a server should generally NOT
> abort the handshake when it does not find a match for the requested
> name.
>
> Rather, it is better for the server to choose *some* other (often
> default) certificate, and leave it up to the client to decide
> whether that one is also acceptable.
>
> This is a signficant consideration for SMTP with DANE, because
> clients use the TLSA base domain (typically MX host name) in the
> SNI message, but will also accept other names (typically the
> recipient domain for which the server is an MX host).  The server
> may have just one "UCC" certificate for the recipient domain, and
> MUST NOT abort the connection just because the client seems to want
> something else.

v2.23.0 | Report a Bug | By Email