On Wed, Apr 23, 2014 at 08:12:28PM -0700, [email protected] wrote:
> Title : SMTP security via opportunistic DANE TLS
> Authors : Viktor Dukhovni
> Wes Hardaker
> Filename : draft-ietf-dane-smtp-with-dane-08.txt
> Pages : 32
> Date : 2014-04-23
>
> http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-08
>
> A diff from the previous version is available at:
> http://www.ietf.org/rfcdiff?url2=draft-ietf-dane-smtp-with-dane-08
I've updated to the document to add text that describes in more
detail name checks (RFC 6125 requirements) for SMTP with opportunistic
DANE TLS.
- Presence of DNS-IDs preempts CN-ID processing, but CN-ID is
supported in the absence of DNS-IDs.
- No partial-label wildcards.
- Single label wildcards are supported in both DNS-IDs and CN-IDs.
- Multi-label wildcards are a local policy option for the client,
servers should not expect this to be supported.
In addition I clarified the DANE-TA(3) matching rules (no name checks,
no expiration checks).
For DANE-TA(2), servers are encouraged to stick to selector Cert(0),
because SPKI(1) does not cover potentially important TA certificate
elements. Use of matching type Full(0) is discouraged.
Note, digest algorithm agility remains unchanged, though we may
not yet have "rough consensus" for it, we have some significant
support.
Please review the diffs. This is also a good time to read the
entire document if you have not done that yet. Any remaining
changes should be minor.
Spelling, grammar, clarity suggestions appreciated. Github
pull requests would be great:
https://github.com/vdukhovni/ietf
I'll update the HTML periodically at:
http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-08.html
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
