On Fri, May 16, 2014 at 04:09:30PM +0200, Andreas Schulze wrote:
> James Cloos:
>
> >Maybe, in this case, _proto._clientauth.c.example.
>
> just to make sure I read above right:
>
> - $client connect from $random_highport to $server:$fix_serviceport.
Yes.
> - $server extract $client_ip and lookup $client_name (PTR)
This is often not the right name, if at all possible (in an
application protocol where the client can signal its identity before
STARTTLS) the name should be conveyed by the client. TLSA records
would authenticate that name.
If the client's name is authenticated, it might be used for access
control and to avoid impersonation. To mitigate downgrade attacks,
the server would have to be willing to not continue when DNS
resolution (either the forward address lookup or the TLSA lookup)
of the client name fails (note "insecure" or validated NXDOMAIN is
not a failure in this sense, see the DNS error section of the SMTP
draft).
For SMTP, many clients have HELO names whose lookups fail with
NXDOMAIN, but I don't know whether ServFail or similar errors are
also common. This is more likely to initially be more applicable
to XMPP and SIP, but SMTP might also benefit some day.
> - $server lookup $fix_serviceport._clientauth.$client_name. for TLSA Record.
>
> right?
No server looks up something like:
smtp._clientauth.$clientname IN TLSA ?
where "smtp" is (one example of) the application service name.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
