IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Fri, 27 October 2017 14:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A485E13F578 for <uta@ietfa.amsl.com>; Fri, 27 Oct 2017 07:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6g_DTZQ_asIc for <uta@ietfa.amsl.com>; Fri, 27 Oct 2017 07:22:00 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F24C13F516 for <uta@ietf.org>; Fri, 27 Oct 2017 07:22:00 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id q126so5846060ywq.10 for <uta@ietf.org>; Fri, 27 Oct 2017 07:22:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fc5r+DSZJ6cr+GH25H92xaq2cGxu83PC72RfbMJYm2I=; b=V90BbA4OsS510ZLyR4hF4ZUMlHZ7Xz2RV3gFhVLsc59/ZkJfKMifuEOZje/T/cNvPp vFi6bNIBImTRPQJeo0B+EmDtYyuShAIus+znonZR4YiURLH9m8lyQp485ePo5g/6+AOh FHXtSDSd/foEdJE+mRusJWZbKzRydip6UIRy6vDMY8NHlSDxvKQy+7PfbHOqRzNzeSCB trCT3IzPCX1JwfvFlXTWjBT9HU+TrpbiuwbwSVh6AT7M4dKGk460l8vrWdfka5IIGnGf 8h/FMbjSdB4e0WJ0bf2O51r0Q4PnGBkYKGfM6Ctm3Kurp3cx8BlgGFakjIAa5oNddj2C raJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fc5r+DSZJ6cr+GH25H92xaq2cGxu83PC72RfbMJYm2I=; b=pQnSjzq4dIDyglVtPVFJxg8yfC6qTBRYZa4GGB0E6TLVQd+PVEZEQmrhWGkx8Pr2pM ZATj7Xh+Bq0z9CrhirwCrKpSXc/YcxMl51L2MdRCPLJmBs3Gx8WZBZhlJn88hlsbTiis WrGjv7gkdKYnWf2nFipKehOUTm3jT3Bmg3iwcwpkEOV1QA6xkdOnxyCityzzC90z2Dc/ 3G3FY1PVw3A02QWHuX9zPdytDR8pNh5mC/8yorQeXY8Rb3x0jTzM19JpMjxuFt7ZpB0u BcnqzSiauBD0WbWbQ6kugIa3GobM6F4L8mab9F6V1+Hc0345D99jaAT0CuEKPnbKtWL7 m9JA==
X-Gm-Message-State: AMCzsaVVEUtGjftdLzhruGYHt9HC16xJgqiHHj5xFtQU7/Lm501tFObu IuFLU0Z7waXkfOIZD4aQPmvHTieM5yGODhOwKT4fWtCH
X-Google-Smtp-Source: ABhQp+QHMN4ryUe4OxQSF7SMrkX66oqq/CZWbemMvz8h2ISrVCCvMC6WpBBsedFI9A0QV6llSiIUQJQd6lReF24/D7g=
X-Received: by 10.13.192.196 with SMTP id b187mr472872ywd.416.1509114119790; Fri, 27 Oct 2017 07:21:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Fri, 27 Oct 2017 07:21:18 -0700 (PDT)
In-Reply-To: <CD498530-EEEB-4F83-892B-F88060A2CCAC@network-heretics.com>
References: <150852235551.15416.1247335476327491501.idtracker@ietfa.amsl.com> <98fddd93-a0a8-efa3-ce2e-530449ae536c@network-heretics.com> <8B20BC5A-A60A-4A31-9345-E970B31BC2C3@oracle.com> <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com> <CABcZeBMWd2n3MpVzqf+WRjy9K5V9HqOVPDJaV+DwJ7z4wmtTfw@mail.gmail.com> <CD498530-EEEB-4F83-892B-F88060A2CCAC@network-heretics.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 27 Oct 2017 07:21:19 -0700
Message-ID: <CABcZeBO1_qPNFb0_MnWJkqMN=rfWMs_goCHNX5eOSPXd1fX=bw@mail.gmail.com>
To: Keith Moore <moore@network-heretics.com>
Cc: Chris Newman <chris.newman@oracle.com>, The IESG <iesg@ietf.org>, "draft-ietf-uta-email-deep@ietf.org" <draft-ietf-uta-email-deep@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, Leif Johansson <leifj@sunet.se>, "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/alternative; boundary="001a114edd48093811055c880391"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/ZdO6JqHKSlvhH_wZ6wobIj9EYCU>
Subject: Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 14:22:02 -0000

Perhaps it would be useful if Chris could walk through the example he gave
in more detail.

My point is that if the client is configured to connect to "pop.example.com"
that has to be in the
certificate, regardless of how many SRV records there are.
-Ekr


On Fri, Oct 27, 2017 at 7:16 AM, Keith Moore <moore@network-heretics.com>
wrote:

>
> > On Oct 27, 2017, at 7:48 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > The entire principle here is that (absent DNSSEC) TLS operates on what
> was fed into the client.
>
> Could you elaborate a bit?  I feel like I'm missing some context.
>
> Thanks,
>
> Keith
>
>

v2.23.0 | Report a Bug | By Email