On 2014-05-13 08:17, Olle E. Johansson wrote: > > On 12 May 2014, at 22:42, Viktor Dukhovni <[email protected]> wrote: > >>> Interesting are you you are saying we want to examine/specify >>> client side DANE records (right now DANE is all about server side records). >> >> Yes, but we likely can't specify the lookup keys in an application >> neutral manner. Rather we can discuss the problem generally, and >> allow individual application protocols to construct appropriate >> keys. Still there could be some guidance on how to apply DANE to >> TLS client identity (when the client identity can be mapped to a >> suitable name in DNS). > > That is something that also applies to SIP, where we have an RFC > about connection reuse in SIP/TLS. For server to server connections > it is important to be able to verify a list of domains each side > is authorized to use.
This problem applies to XMPP as well. > The question it then boils down to is how I verify an incoming connection > from an IP address with a name. Maybe a DNSsec-secured reverse lookup > is a starting point. What's the state of DNSsec in .arpa ? Doing a full forward SRV lookup and TLSA lookups on each _port._proto.srv-target is another possibility, but it may get awkward for clustered services where incoming and outgoing connections are handled by different servers. -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
