Viktor Dukhovni <[email protected]> wrote: > Brian Smith wrote: >> That said, maybe I'm not understanding the importance of SRV-ID. >> Clarification of why supporting SRV-ID is important would be useful. > > My understanding is that clients should support SRV-ID when they > locate the submission or IMAP service via SRV records. Most MUAs > don't do SRV lookups for either, and therefore don't need to support > SRV-ID.
Even if the client uses SRV records, it will still operate just fine using DNS-IDs and without supporting SRV-ID, right? I re-read what RFC 6125 says about using SRV-IDs instead of DNS-IDs to restrict which services a certificate is valid for. I also read RFC 6186 regarding the use of SRV records to support email client auto-configuration. The goals of each seem reasonable. But, it seems too early to mandate SRV-ID support. First, note that the CABForum Baseline Requirements [1] say, regarding subjectAltName: "This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server." Thus, a certificate that conforms to the CABForum Baseline Requirements MUST NOT contain any SRV-ID subjectAltNames. It is reasonable--some would even say good--for a MUA to use certificate verification logic that only validates certificates that are valid according to the CABForum Baseline Requirements. In that case, the certificate verification logic doesn't need to support SRV-ID at all, since instead it should reject--or, if it wants to be liberal, ignore--all SRV-ID subjectAltName entries. Further, because of what the CABForum Baseline Requirements say, it seems like it would be very difficult to get a certificate that contains SRV-ID subjectAltNames from a CA that typical MUAs trust. Are there any existing MUAs, certificate verification libraries, and/or mail servers that implement support for SRV and SRV-ID that can be used for interop testing? Has any interop testing been done yet? I think such interop testing should be done before SRV-ID support is mandated or recommended. > However, with DANE, this or a follow-on document needs to specify > whether SRV-ID should be supported as a secondary identifier to > support mixed deployments in which the SRV-ID certificate is the > only only one available. I would expect that if a certificate is involved then the certificate will be used, and that DANE will be used only to help authenticate the certificate. Otherwise, there wouldn't be a certificate involved and the document wouldn't be applicable, right? Cheers, Brian [1] https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
