On 6/7/12 8:48 AM, Tony Finch wrote:
> Peter Saint-Andre <[email protected]> wrote:
>> On 6/1/12 11:03 AM, Shumon Huque wrote:
>>> On Fri, Jun 01, 2012 at 05:47:50PM +0100, Tony Finch wrote:
>>>>
>>>> I presume that the client would not actually use mail.example.net as a
>>>> reference identifier unless DNSSEC is in use, otherwise that would not be
>>>> secure and is therefore forbidden according to the rules a few paragraphs
>>>> earlier in RFC 6125.
>>>
>>> That sounds correct to me.
>>
>> Agreed. That's the approach Matt Miller and I are taking for secure
>> delegation in XMPP (we'll submit an I-D soonish).
>
> I have a review in the works :-)
Thanks.
> While I was investigating this yesterday I had a look at gmail.com's
> RFC 6186 email SRV setup since I thought I might use it as an example.
> Sadly their servers have the wrong certificates - they can only
> authenticate {imap,pop,smtp}.gmail.com not gmail.com. I've written this up
> in more detail at http://fanf.livejournal.com/120855.html and notified
> [email protected]. I don't entirely blame them for this error since
> RFC 6125's abstractions are a bit confusing and the email example doesn't
> mention the "derived domain" caveat.
The more I think about it, the more I realize that RFC 6125 will need to
be updated to reflect the use of derived domains under secure
delegation. But let's work on our separate email and XMPP I-Ds first. :)
Peter
--
Peter Saint-Andre
https://stpeter.im/
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
