IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)

Alberto Bertogli <albertito@blitiri.com.ar> Fri, 04 May 2018 14:57 UTC

Return-Path: <albertito@blitiri.com.ar>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD2A12D881 for <uta@ietfa.amsl.com>; Fri, 4 May 2018 07:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fthrc_LRezi6 for <uta@ietfa.amsl.com>; Fri, 4 May 2018 07:57:47 -0700 (PDT)
Received: from blitiri.com.ar (cdt.blitiri.com.ar [IPv6:2001:41d0:401:3100::2c1a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE1B712D810 for <uta@ietf.org>; Fri, 4 May 2018 07:57:46 -0700 (PDT)
Received: from blitiri.com.ar (authenticated as alb@blitiri.com.ar) by cdt.blitiri.com.ar (chasquid) (over submission TLS-1.2-TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) (envelope from "albertito@blitiri.com.ar") ; Fri, 04 May 2018 15:56:12 +0100
Date: Fri, 04 May 2018 15:56:12 +0100
From: Alberto Bertogli <albertito@blitiri.com.ar>
To: Viktor Dukhovni <viktor@dukhovni.org>
Cc: uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>
Message-ID: <20180504145612.jh6ly5flldqw3cap@blitiri.com.ar>
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <20180504051945.GS3322@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Disposition: inline
In-Reply-To: <20180504051945.GS3322@mournblade.imrryr.org>
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/1GbMTmQ420g6wLPUaO0E82ZgOxg>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 14:57:48 -0000

On Fri, May 04, 2018 at 05:19:46AM +0000, Viktor Dukhovni wrote:
>On Thu, May 03, 2018 at 06:14:44PM -0700, Eric Rescorla wrote:
>> >      2.  That at least one of the policy's "mx" patterns matches at least
>> >          one of the identities presented in the MX's X.509 certificate, as
>> >          described in "MX Certificate Validation".
>>
>> IMPORTANT: This doesn't seem like quite what you want. Consider
>> the case where the STS policy has:
>>
>>    mx: mx1.example.com
>>    mx: mx2.example.com
>>
>> And I then attempt to send to mx1.example.com, send SNI=mx1.example.com,
>> and get a cert that is only valid for mx2.example.com.
>
>[ This was discussed extensively in the WG.  This part of the design
>  is substantially my doing... ]

For ease of reference, these are some of those discussions where people 
(including me) raised concerns about the custom certificate matching:

https://www.ietf.org/mail-archive/web/uta/current/msg02195.html

https://www.ietf.org/mail-archive/web/uta/current/msg01922.html

https://www.ietf.org/mail-archive/web/uta/current/msg02308.html

Thanks,
		Alberto

v2.23.0 | Report a Bug | By Email