On 2014-06-11 03:24, Peter Saint-Andre wrote: > Matt Miller and I submitted a new version of draft-ietf-dane-srv today.
Why does the text it Section 3 say to do queries in parallel when section 3.2 says that one has to do A/AAAA lookups and validation (which depend on SRV) before deciding to do TLSA lookups? And what does the security status of A/AAAA records matter if you have a secure reference to the certificate you see? Unless of course if you get bogus, then aborting the connection to that target is sane. > > SRV is secure: The reference identifiers SHALL include both the > service domain and the SRV target server host name (e.g., include > both "im.example.com" and "xmpp23.hosting.example.net"). The > target server host name is the preferred name for TLS SNI or its > equivalent. In XMPP, sending to='xmpp123.hosting.example.net' instead of to='example.com' does not seem sensible to me. The server should know which cert to present for each domain, or probably just shows the same for all if it is a multi-tenant hosting service. And I don't think one should look too hard at the name in a certificate if you have a matching TLSA record. -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
