IETF Logo Mail Archive

Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 02 December 2015 15:27 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CC5F1A7D84 for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 07:27:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DHh6Hbhy8LE for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 07:27:20 -0800 (PST)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id EC38A1A7003 for <uta@ietf.org>; Wed, 2 Dec 2015 07:27:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1449070039; d=isode.com; s=selector; i=@isode.com; bh=vYv59MmgPGU/l2Rp7RmkFz5BBYaLDB0jLBY/80hdO28=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=xhUcBKMEVpsUAgHdKZVwbhBx9GeRe96vICP2XcpVq+xsAaGqlggSRPx4YPQwhwTMlg/c5L 5vTLXADCROOVlIxf4anHUytjoplM3XMvtwrBldOnI2bixIewbtVjk5UIGWx9rfuIUrGWzm 5sb3TnW5W7KwfjGTjiv9GUH66J1OP40=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <Vl8N1gAlTpDK@statler.isode.com>; Wed, 2 Dec 2015 15:27:19 +0000
Message-ID: <565F0DC8.9060507@isode.com>
Date: Wed, 02 Dec 2015 15:27:04 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
To: John Levine <johnl@taugh.com>, uta@ietf.org
References: <20151202151716.22721.qmail@ary.lan>
In-Reply-To: <20151202151716.22721.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/XawTDs_FwcwAgXp6b9nGVpXXoXU>
Subject: Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 15:27:21 -0000

On 02/12/2015 15:17, John Levine wrote:
>> 1) use Server Name Indication TLS extension. At the moment none of the
>> email specs requires it. But maybe it is something that the draft should
>> encourage.
>> 2) run each domain on its own IP/port, then each IP/port can use
>> separate certificate with a single domain.
> Given that there are mail services with tens of thousands of domains
> on the same set of servers, and probably at least one mail service
> with 100,000 domains, this really doesn't scale.
Yes, I can add a note about this. Also recommending use of SNI (case 1) 
might be a good idea.
>  From previous messages, I understand that both publishing and checking
> SRV-ID are entirely optional.  It would be nice to adjust to draft to
> make that clear.
Ack, I will add some text along what we've discussed.

v2.23.0 | Report a Bug | By Email