IETF Logo Mail Archive

Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 02 December 2015 16:07 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B34D51AD063 for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 08:07:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYJA9hrqQMVg for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 08:07:39 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 915DB1ACEF6 for <uta@ietf.org>; Wed, 2 Dec 2015 08:07:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1449072452; d=isode.com; s=selector; i=@isode.com; bh=TIJ3sFk9Pq1MajEvtXrDtynzHFOeKwhPTpOaJqAME2Y=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=RNVf3BYLIzFf15aIiJxf44aPfHI4ypTgVRUY1FJyXi8rEO/zr+fDbv8iEoX9H2EL1xlRvX scTDetG4HAmwvAsPekx+EKIts4VjJogLc2P17/tvdfxvAtPhUSefWGuZR5U83qG8JZLetl RxN3/D1JvYzKD6XVrT/CLRc4+Frh8S8=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <Vl8XRAArTyNE@waldorf.isode.com>; Wed, 2 Dec 2015 16:07:32 +0000
Message-ID: <565F1735.6080803@isode.com>
Date: Wed, 02 Dec 2015 16:07:17 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
To: John R Levine <johnl@taugh.com>
References: <20151202151716.22721.qmail@ary.lan> <565F0DC8.9060507@isode.com> <alpine.OSX.2.11.1512021039490.21537@ary.lan> <565F12D1.6050700@isode.com> <alpine.OSX.2.11.1512021051220.21537@ary.lan>
In-Reply-To: <alpine.OSX.2.11.1512021051220.21537@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/mv6F4te0yWoW5C0AhlbEqy0AudA>
Cc: uta@ietf.org
Subject: Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:07:40 -0000

On 02/12/2015 15:54, John R Levine wrote:
>>> If there's no SRV-ID, you don't need SNI since all 100,000 domains 
>>> point at the same server name.
>> Yes, but then they can't be verified automatically by MUAs, so each 
>> of them would need to be approved manually by users.
>
> Aren't we back to RFC 6186?  If the MUA developers are going to open 
> up the code to add new checks for the server's certificate, why not 
> also add checks for the appropriate SRV records?  I realize that not 
> everyone does DNSSEC, but the SRV check will be a lot more effective 
> than yet another baffling warning that ends with "check OK if you ever 
> want to see your mail again".
If you can suggest a couple of sentences to add, that would be appreciated.

v2.23.0 | Report a Bug | By Email