On 01/12/2015 18:38, John Levine wrote:
The key word in that text is "another". This does not require the
server to have a certificate that matches this identifier, provided
there is some other some suitable identifier. It provides additional
flexibility, not a constraint.
NOTE HOWEVER, that use of the server name from the SRV record as
a DNS-ID reference identifier offers no security at all absent
DNSSEC. So "another" might become "only" in that case.
Then we have a problem, since the SRV-ID is just an assertion from the
server.
But it has to be signed by a CA. If the CA is not happy for you to
assert SRV-ID, it should not include SRV-ID in an issued certificate.
What's to keep an evil MITM from putting dukhovni.org as a
SRV-ID in its submit and imaps certificate? If the cert is signed,
the signer will look at the DNS-ID. There's no way other than RFC
6186 to tell what the real pop or imap servers for a domain are.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
