>> What's to keep an evil MITM from putting dukhovni.org as a >> SRV-ID in its submit and imaps certificate? > >The trusted CA presumably, if it is not negligent.
How is the trusted CA supposed to figure out which domains it should allow as SRV-ID? Here's a concrete real life example: I have a pop and imap server called imap.iecc.com. (It even has a signed certificate.) You're the CA, what SRV-IDs will you allow? You can ask me any questions you want, but keep in mind that my answers are not always accurate. >> >I am not aware of any adoption of RFC 6186. Are there are any MUAs >> >actually doing RFC 6186 SRV lookups? If there are none, is it worth >> >debating? >> >> In the lack of plausible alternatives, I think so. > >Well, the plausible alternatives are explicit static configuration >of the server names by the user, per instruction from the provider. I understand that's how a user configures her MTA, but you'll have to lay out in detail how the slip of paper in the user's hand tells a CA what SRV-IDs they should have allowed in the server's certificate. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
