IETF Logo Mail Archive

Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)

"John Levine" <johnl@taugh.com> Wed, 02 December 2015 15:17 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C88101A00FC for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 07:17:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.037
X-Spam-Level:
X-Spam-Status: No, score=-1.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hVInVwXOLey for <uta@ietfa.amsl.com>; Wed, 2 Dec 2015 07:17:40 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F97D1A00F3 for <uta@ietf.org>; Wed, 2 Dec 2015 07:17:39 -0800 (PST)
Received: (qmail 5852 invoked from network); 2 Dec 2015 15:17:37 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 2 Dec 2015 15:17:37 -0000
Date: Wed, 02 Dec 2015 15:17:16 -0000
Message-ID: <20151202151716.22721.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: uta@ietf.org
In-Reply-To: <565EE412.6040106@isode.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/pAKY0Vzged_dfTgVp1MAWgSVSL0>
Cc: alexey.melnikov@isode.com
Subject: Re: [Uta] UTA: Server certificate management (Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt>)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 15:17:41 -0000

>1) use Server Name Indication TLS extension. At the moment none of the 
>email specs requires it. But maybe it is something that the draft should 
>encourage.
>2) run each domain on its own IP/port, then each IP/port can use 
>separate certificate with a single domain.

Given that there are mail services with tens of thousands of domains
on the same set of servers, and probably at least one mail service
with 100,000 domains, this really doesn't scale.

>From previous messages, I understand that both publishing and checking
SRV-ID are entirely optional.  It would be nice to adjust to draft to
make that clear.

R's,
John

v2.23.0 | Report a Bug | By Email