Hi Viktor,
On 22/03/2015 20:43, Viktor Dukhovni wrote:
On Sun, Mar 22, 2015 at 08:34:56PM +0000, Alexey Melnikov wrote:
Should use of "_submission"
SRVNAMES be inferred from the target port?
No.
OK.
Or enabled via
per-destination configuration?
I think direct host configuration must disable SRV lookups and checking for
sRVName in certificates.
This is the same as manually configuring an IMAP server in an email client:
sRVName don't apply.
So SRVNAME does not apply when using submission/imap/pop with a
statically configured hostname? Why not? Or in any case, it was
not 100% clear to me from the draft that SRVNAME was not intended
to apply.
[ One might suppose that SRVNAME certs being more specific and
provide better security, even when the hostname is fixed. ]
I always thought of sRVName as implying DNS SRV lookup and RFC 4985 seem
to support my interpretation. But you are right, dNSName doesn't provide
necessary granularity if one wants to limit a certificate to a
particular service.
I don't mind using sRVName in the way you describe, but I would like to
hear other opinions on whether this is a good idea.
Another alternative is to allow for uniformResourceIdentifier for the
purpose you describe (they are currently prohibited by the draft, but
only because they are not used).
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
