Re: [Uta] Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard
Alexey Melnikov <alexey.melnikov@isode.com> Tue, 24 November 2015 13:30 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F75B1A6F1E; Tue, 24 Nov 2015 05:30:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.585
X-Spam-Level:
X-Spam-Status: No, score=-4.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYgj2eZmTHr5; Tue, 24 Nov 2015 05:30:35 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [217.34.220.150]) by ietfa.amsl.com (Postfix) with ESMTP id B8A6E1A1B40; Tue, 24 Nov 2015 05:30:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1448371832; d=isode.com; s=selector; i=@isode.com; bh=QC5p+ntALx5ekQTt+pnBfPUX8QRgEyz4weHAEJEJFKM=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=MxcErXqyuyqAApCG0NCSDvWccxVBoiiw/eCMcitjPuTGgddkz3J5fvQPmYIzQw6NcdSq+3 +ASTUue1AL+fCDxZzmsRJnbbZhZZTFkBpZsX2PfTWN5awY+yhTBNAVTlUkI5Lk88yfaM6Z hImgGHOtqPEudlaZoHnvcXi0QCjcbmU=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <VlRmdgArT4L9@waldorf.isode.com>; Tue, 24 Nov 2015 13:30:32 +0000
Message-ID: <56546668.9000405@isode.com>
Date: Tue, 24 Nov 2015 13:30:16 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
To: Russ Housley <housley@vigilsec.com>
References: <20151120142925.18541.72151.idtracker@ietfa.amsl.com> <0C545746-E755-487D-8F0C-BB5981C2C5EE@vigilsec.com> <56508299.9070505@isode.com> <FFC4A0CA-FBE7-4C8F-8E17-C95AD790F7B5@vigilsec.com>
In-Reply-To: <FFC4A0CA-FBE7-4C8F-8E17-C95AD790F7B5@vigilsec.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------010706040202000403070709"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/W-T6htw09N3WrEfdltHfd4NNR6w>
Cc: uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-email-tls-certs@ietf.org, ietf@ietf.org
Subject: Re: [Uta] Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 13:30:38 -0000
Hi Russ, On 23/11/2015 15:10, Russ Housley wrote: > Alexey: > > Thanks for addressing my comments. I think the CN-ID, DNS-ID, and SRV-ID definitions would be about 1/2 page. Is that a lot of text? If you are only suggesting to adding this: * CN-ID = a Relative Distinguished Name (RDN) in the certificate subject field that contains one and only one attribute-type- and-value pair of type Common Name (CN), where the value matches the overall form of a domain name (informally, dot- separated letter-digit-hyphen labels); see [PKIX <https://tools.ietf.org/html/rfc6125#ref-PKIX>] and also [LDAP-SCHEMA <https://tools.ietf.org/html/rfc6125#ref-LDAP-SCHEMA>] * DNS-ID = a subjectAltName entry of type dNSName; see [PKIX <https://tools.ietf.org/html/rfc6125#ref-PKIX>] * SRV-ID = a subjectAltName entry of type otherName whose name form is SRVName; see [SRVNAME <https://tools.ietf.org/html/rfc6125#ref-SRVNAME>] * URI-ID = a subjectAltName entry of type uniformResourceIdentifier whose value includes both (i) a "scheme" and (ii) a "host" component (or its equivalent) that matches the "reg-name" rule (where the quoted terms represent the associated [ABNF <https://tools.ietf.org/html/rfc6125#ref-ABNF>] productions from [URI <https://tools.ietf.org/html/rfc6125#ref-URI>]); see [PKIX <https://tools.ietf.org/html/rfc6125#ref-PKIX>] and [URI <https://tools.ietf.org/html/rfc6125#ref-URI>] then it would be alright. If we start explaining reference identifiers, etc., then it is much harder job and I an worried of not copying enough, which can make this misleading when compared to RFC 6125. > > Russ > > > On Nov 21, 2015, at 9:41 AM, Alexey Melnikov wrote: > >> Hi Russ, >> Thank you for your comments. >> >> On 20/11/2015 21:36, Russ Housley wrote: >>> I support this document going forward. Below I suggest four improvements to the document. >>> >>> (1) In Introduction says: >>> >>> Note that this document doesn't apply to use of TLS in MTA-to-MTA >>> SMTP. >>> >>> Can this be enhanced to include a pointer to where this can be found? >> Currently this is discussed in draft-friedl-uta-smtp-mta-certs, but this >> is not a WG document, so I would rather not have a pointer. >> >>> (2) The next paragraph in the Introduction says: >>> >>> The main goal of the document is to provide consistent TLS server >>> identity verification procedure across multiple email related >>> protocols. >>> >>> Since this is a standards-track document, I think it would be better to say: >>> >>> This document provides a consistent TLS server identity >>> verification procedure across multiple email related protocols. >> Changed, thank you. >> >>> (3) Section 2 does a lot by reference, which is fine. I think it would help the reader to duplicate a bit of context from RFC 6125, in particular repeating the definitions of CN-ID, DNS-ID, and SRV-ID. >> Yes, I struggled with this as well. This would be lots of cut & pasted >> text. >> >>> (4) Section 3 needs to state first that the certificate passes certification path validation as described in Section 6 of RFC 5280, and second passes the email-specific rules in this section. >> Yes, this was implied. Added to my copy. >> > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta
- [Uta] Last Call: <draft-ietf-uta-email-tls-certs-… The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Russ Housley
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Leif Johansson
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Russ Housley
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… stephen.farrell
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Julien ÉLIE
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Leif Johansson
- Re: [Uta] UTA: Server certificate management (Re:… Viktor Dukhovni
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Viktor Dukhovni
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov