IETF Logo Mail Archive

Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 01 December 2015 18:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E6C1B2F19 for <uta@ietfa.amsl.com>; Tue, 1 Dec 2015 10:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7rIcW8kdnyJ for <uta@ietfa.amsl.com>; Tue, 1 Dec 2015 10:59:18 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 607ED1B2F1E for <uta@ietf.org>; Tue, 1 Dec 2015 10:59:17 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 5E6E4284E35; Tue, 1 Dec 2015 18:59:16 +0000 (UTC)
Date: Tue, 01 Dec 2015 18:59:16 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20151201185916.GM18315@mournblade.imrryr.org>
References: <20151201173724.GH18315@mournblade.imrryr.org> <20151201183802.18651.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20151201183802.18651.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/NWXHXVgCQpF56Pgryfwu2UEZvpc>
Subject: Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 18:59:20 -0000

On Tue, Dec 01, 2015 at 06:38:02PM -0000, John Levine wrote:

> >The key word in that text is "another".  This does not require the
> >server to have a certificate that matches this identifier, provided
> >there is some other some suitable identifier.  It provides additional
> >flexibility, not a constraint.
> >
> >NOTE HOWEVER, that use of the server name from the SRV record as
> >a DNS-ID reference identifier offers no security at all absent
> >DNSSEC.  So "another" might become "only" in that case.
> 
> Then we have a problem, since the SRV-ID is just an assertion from the
> server.
>
> What's to keep an evil MITM from putting dukhovni.org as a
> SRV-ID in its submit and imaps certificate?

The trusted CA presumably, if it is not negligent.

> >I am not aware of any adoption of RFC 6186.  Are there are any MUAs
> >actually doing RFC 6186 SRV lookups?  If there are none, is it worth
> >debating?
> 
> In the lack of plausible alternatives, I think so.

Well, the plausible alternatives are explicit static configuration
of the server names by the user, per instruction from the provider.
This "out of band 6186" if you like.  That's largely what happens
today, except that for some popular providers, many user agents
come preloaded with default settings.

The other plausible alternatives are DNSSEC, or "ask the user".

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email