>The key word in that text is "another". This does not require the >server to have a certificate that matches this identifier, provided >there is some other some suitable identifier. It provides additional >flexibility, not a constraint. > >NOTE HOWEVER, that use of the server name from the SRV record as >a DNS-ID reference identifier offers no security at all absent >DNSSEC. So "another" might become "only" in that case.
Then we have a problem, since the SRV-ID is just an assertion from the server. What's to keep an evil MITM from putting dukhovni.org as a SRV-ID in its submit and imaps certificate? If the cert is signed, the signer will look at the DNS-ID. There's no way other than RFC 6186 to tell what the real pop or imap servers for a domain are. >I am not aware of any adoption of RFC 6186. Are there are any MUAs >actually doing RFC 6186 SRV lookups? If there are none, is it worth >debating? In the lack of plausible alternatives, I think so. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
