Re: [Uta] Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard
Russ Housley <housley@vigilsec.com> Mon, 23 November 2015 15:10 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD1C1A0120; Mon, 23 Nov 2015 07:10:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kA8JuKN_TXh2; Mon, 23 Nov 2015 07:10:43 -0800 (PST)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 453291A011C; Mon, 23 Nov 2015 07:10:43 -0800 (PST)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 8D605F2405E; Mon, 23 Nov 2015 10:10:32 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id YnerWNCDxS6V; Mon, 23 Nov 2015 10:09:02 -0500 (EST)
Received: from [192.168.2.104] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id C08E7F24035; Mon, 23 Nov 2015 10:10:11 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <56508299.9070505@isode.com>
Date: Mon, 23 Nov 2015 10:10:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <FFC4A0CA-FBE7-4C8F-8E17-C95AD790F7B5@vigilsec.com>
References: <20151120142925.18541.72151.idtracker@ietfa.amsl.com> <0C545746-E755-487D-8F0C-BB5981C2C5EE@vigilsec.com> <56508299.9070505@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/t-QGeLbB4BeCRoLVh5voC8_fLNM>
Cc: uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-email-tls-certs@ietf.org, ietf@ietf.org
Subject: Re: [Uta] Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 15:10:45 -0000
Alexey: Thanks for addressing my comments. I think the CN-ID, DNS-ID, and SRV-ID definitions would be about 1/2 page. Is that a lot of text? Russ On Nov 21, 2015, at 9:41 AM, Alexey Melnikov wrote: > Hi Russ, > Thank you for your comments. > > On 20/11/2015 21:36, Russ Housley wrote: >> I support this document going forward. Below I suggest four improvements to the document. >> >> (1) In Introduction says: >> >> Note that this document doesn't apply to use of TLS in MTA-to-MTA >> SMTP. >> >> Can this be enhanced to include a pointer to where this can be found? > > Currently this is discussed in draft-friedl-uta-smtp-mta-certs, but this > is not a WG document, so I would rather not have a pointer. > >> (2) The next paragraph in the Introduction says: >> >> The main goal of the document is to provide consistent TLS server >> identity verification procedure across multiple email related >> protocols. >> >> Since this is a standards-track document, I think it would be better to say: >> >> This document provides a consistent TLS server identity >> verification procedure across multiple email related protocols. > > Changed, thank you. > >> (3) Section 2 does a lot by reference, which is fine. I think it would help the reader to duplicate a bit of context from RFC 6125, in particular repeating the definitions of CN-ID, DNS-ID, and SRV-ID. > > Yes, I struggled with this as well. This would be lots of cut & pasted > text. > >> (4) Section 3 needs to state first that the certificate passes certification path validation as described in Section 6 of RFC 5280, and second passes the email-specific rules in this section. > > Yes, this was implied. Added to my copy. >
- [Uta] Last Call: <draft-ietf-uta-email-tls-certs-… The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Russ Housley
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Leif Johansson
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Russ Housley
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… stephen.farrell
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Julien ÉLIE
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Alexey Melnikov
- Re: [Uta] Last Call: <draft-ietf-uta-email-tls-ce… Leif Johansson
- Re: [Uta] UTA: Server certificate management (Re:… Viktor Dukhovni
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Viktor Dukhovni
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov
- Re: [Uta] UTA: Server certificate management (Re:… John R Levine
- Re: [Uta] UTA: Server certificate management (Re:… Alexey Melnikov