On Fri, Apr 10, 2015 at 09:46:37AM -1000, Brian Smith wrote:
> On Fri, Apr 10, 2015 at 9:34 AM, Leif Johansson <[email protected]> wrote:
> > This starts a 2 week WGLC on draft-ietf-uta-email-tls-certs. Please
> > provide your comments on the UTA list before EOB (any TZ) Friday April
> > 24 2015.
>
> What is the reason for making SRV-ID support required for email client
> software implementations? I've written certificate verification code
> that is used in one email client (Mozilla Thunderbird) that doesn't
> support SRV-ID and there's currently no plan to add SRV-ID.
>
> More generally, I think it would be good to avoid adding the
> additional requirement that clients support SRV-ID support so that
> email clients can use any RFC6125-compliant certificate verification
> library.
>
> That said, maybe I'm not understanding the importance of SRV-ID.
> Clarification of why supporting SRV-ID is important would be useful.
My understanding is that clients should support SRV-ID when they
locate the submission or IMAP service via SRV records. Most MUAs
don't do SRV lookups for either, and therefore don't need to support
SRV-ID.
If a client supports DANE, and obtains DNSEC-validated SRV results,
and finds associated TLSA records for the target service endpoint,
then again its primary reference identifier is the target DNS name.
However, with DANE, this or a follow-on document needs to specify
whether SRV-ID should be supported as a secondary identifier to
support mixed deployments in which the SRV-ID certificate is the
only only one available.
While DANE might not pan out, I think that new specifications (such
as this one) need to cover interaction with DANE, so that implementors
know how to build interoperable software with or without DANE support.
So I would urge the group to at least discuss, but ideally add a
description of how DANE fits into MUA certificate verification,
when the MUA supports DANE. I am more than willing to help
review new text in that direction.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
