Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 02 December 2015 14:48 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C011A910F for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 06:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qW1aveOOtc8a for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 06:47:59 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id DD5061A90F0 for <uta@ietf.org>; Wed, 2 Dec 2015 06:47:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1449067677; d=isode.com; s=selector; i=@isode.com; bh=utqjllemUwasdXrJJlSWy/xqGKQxjfFD6azmqZ3FaV8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ocRnKqv25C2GuOV7dKGhl47TS35dXq/67W/oWvxAqOLgnJsthGQQmTLrjQOpiOj068KALH QjUux9RzzKr0yRONmSEKbBft3Eu+d9lCM++7fxWL/d67zxGLA/wuxVWqu+bRlN4DJz9r9Y /OKvrJstNNVdR3c3CnzIsBq7i/Z+Sdw=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <Vl8EnAArT31F@waldorf.isode.com>; Wed, 2 Dec 2015 14:47:57 +0000
Message-ID: <565F048E.3@isode.com>
Date: Wed, 02 Dec 2015 14:47:42 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
To: John R Levine <johnl@taugh.com>
References: <20151201183802.18651.qmail@ary.lan> <565EE1DB.4030707@isode.com> <alpine.OSX.2.11.1512020839490.21537@ary.lan>
In-Reply-To: <alpine.OSX.2.11.1512020839490.21537@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/498Z0pr5EowVWP5evJlUGRsJCdo>
Cc: uta@ietf.org
Subject: Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 14:48:00 -0000
Hi John, On 02/12/2015 13:42, John R Levine wrote: >> But it has to be signed by a CA. If the CA is not happy for you to >> assert SRV-ID, it should not include SRV-ID in an issued certificate. > > Now I'm really confused. Are you saying the SRV-ID is optional? I am saying that CAs can't sign what they can't validate. This is nothing new, the same applies to DNS-ID or CN-ID. So if a CA wants to sign SRV-ID, it needs a way to validate it. > If so, what's the point of it? In nearly all cases, there's no way > for a CA to tell what SRV-IDs it should allow, so nobody will use them. Some enterprise CAs or CAs which are also MSPs might be able to validate SRV-IDs. Also when SRV record points to a subdomain of the right hand side, CA might treat this as allowed without validation. > (This is in addition to the problems that a large mail host handles > tens of thousands of domains, and the list changes every day.) > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail.
- [Uta] Last Call: <draft-ietf-uta-email-tls-certs-… The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Russ Housley
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Leif Johansson
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Russ Housley
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… stephen.farrell
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Julien ÉLIE
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Leif Johansson
- Re: [Uta] UTA: Server certificate management (Re:… Viktor Dukhovni
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Viktor Dukhovni
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov