Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
Alberto Bertogli <albertito@blitiri.com.ar> Fri, 04 May 2018 14:57 UTC
Return-Path: <albertito@blitiri.com.ar>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD2A12D881 for <uta@ietfa.amsl.com>; Fri, 4 May 2018 07:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fthrc_LRezi6 for <uta@ietfa.amsl.com>; Fri, 4 May 2018 07:57:47 -0700 (PDT)
Received: from blitiri.com.ar (cdt.blitiri.com.ar [IPv6:2001:41d0:401:3100::2c1a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE1B712D810 for <uta@ietf.org>; Fri, 4 May 2018 07:57:46 -0700 (PDT)
Received: from blitiri.com.ar (authenticated as alb@blitiri.com.ar) by cdt.blitiri.com.ar (chasquid) (over submission TLS-1.2-TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) (envelope from "albertito@blitiri.com.ar") ; Fri, 04 May 2018 15:56:12 +0100
Date: Fri, 04 May 2018 15:56:12 +0100
From: Alberto Bertogli <albertito@blitiri.com.ar>
To: Viktor Dukhovni <viktor@dukhovni.org>
Cc: uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>
Message-ID: <20180504145612.jh6ly5flldqw3cap@blitiri.com.ar>
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <20180504051945.GS3322@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Disposition: inline
In-Reply-To: <20180504051945.GS3322@mournblade.imrryr.org>
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/1GbMTmQ420g6wLPUaO0E82ZgOxg>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 14:57:48 -0000
On Fri, May 04, 2018 at 05:19:46AM +0000, Viktor Dukhovni wrote: >On Thu, May 03, 2018 at 06:14:44PM -0700, Eric Rescorla wrote: >> > 2. That at least one of the policy's "mx" patterns matches at least >> > one of the identities presented in the MX's X.509 certificate, as >> > described in "MX Certificate Validation". >> >> IMPORTANT: This doesn't seem like quite what you want. Consider >> the case where the STS policy has: >> >> mx: mx1.example.com >> mx: mx2.example.com >> >> And I then attempt to send to mx1.example.com, send SNI=mx1.example.com, >> and get a cert that is only valid for mx2.example.com. > >[ This was discussed extensively in the WG. This part of the design > is substantially my doing... ] For ease of reference, these are some of those discussions where people (including me) raised concerns about the custom certificate matching: https://www.ietf.org/mail-archive/web/uta/current/msg02195.html https://www.ietf.org/mail-archive/web/uta/current/msg01922.html https://www.ietf.org/mail-archive/web/uta/current/msg02308.html Thanks, Alberto
- [Uta] Eric Rescorla's Discuss on draft-ietf-uta-m… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alberto Bertogli
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alberto Bertogli
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis