Re: [Uta] Benjamin Kaduk's No Objection on draft-ietf-uta-smtp-require-tls-09: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 02 August 2019 22:31 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36710120077; Fri, 2 Aug 2019 15:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oFUNOPnDS9R; Fri, 2 Aug 2019 15:31:02 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F3E6120059; Fri, 2 Aug 2019 15:31:02 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x72MUmcK006588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 2 Aug 2019 18:30:51 -0400
Date: Fri, 02 Aug 2019 17:30:47 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-uta-smtp-require-tls@ietf.org, Valery Smyslov <valery@smyslov.net>, uta-chairs@ietf.org, uta@ietf.org
Message-ID: <20190802223047.GC1006@kduck.mit.edu>
References: <156478360827.20869.9871138241170740997.idtracker@ietfa.amsl.com> <b1cf0b07-03fc-61f9-d3e6-add909c1217f@bluepopcorn.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <b1cf0b07-03fc-61f9-d3e6-add909c1217f@bluepopcorn.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/OSovfX8SrkIS0iYZkwYMrGbBKYo>
Subject: Re: [Uta] Benjamin Kaduk's No Objection on draft-ietf-uta-smtp-require-tls-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 22:31:05 -0000
On Fri, Aug 02, 2019 at 03:18:39PM -0700, Jim Fenton wrote: > On 8/2/19 3:06 PM, Benjamin Kaduk via Datatracker wrote: > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thank you for resolving my Discuss points! > > > > I do think the added text in Section 4.2.1 about DNS-ID/CN-ID should > > probably be clarified that it only applies to the RFC 6125 procedures and > > not the RFC 7672 ones. > > > Thanks for your review. > > Since RFC 7672 (section 1.1, definition of "Reference identifier") calls > out the use of use of CN-ID if no DNS-ID (subjectAltName of type > dNSName) is present, I don't really see a conflict between the wording > in the draft and 7672. Or is the concern that we shouldn't be allowing > the use of CN-ID if DNS-ID is present? I could be mistaken, but my understanding was that for DANE, the "reference identifier" (compared against the DNS-ID/CN-ID) was not necessarily going to be the result of an MX lookup (or A record fallback). So I wasn't concerned about the DNS-ID/CN-ID part per se, but the other part of the added text -- that was just a convenient way to refer to the chunk that changed. > I have always thought that the "alternative" nature of subjectAltName > means that those names are allowed to be used in addition to commonName, > but I guess that isn't really the way things work. It's a natural assumption! I guess that the commonName was defined without the benefit of many years of deployment experience (and without knowledge of the craziness that the modern Internet has become!), so it's just not well suited for (many of) the situations we work in anymore. The subjectAltName is more flexible and has survived the disruption better. (Not that I was around for the start of it, of course...) -Ben
- [Uta] Benjamin Kaduk's No Objection on draft-ietf… Benjamin Kaduk via Datatracker
- Re: [Uta] Benjamin Kaduk's No Objection on draft-… Jim Fenton
- Re: [Uta] Benjamin Kaduk's No Objection on draft-… Benjamin Kaduk