On Sat, Apr 30, 2016 at 07:37:13PM -0000, John Levine wrote: > I'm quite uncomfortable with the bit that says you look up the policy > at https://policy._mta_sts.example.com/current
That's surely a mistake. It should have been a ".well-known" URI at the domain with no prefixes. > I have two suggestions, a reasonable one and a gross kludge. > > The reasonable one is to use SRV, so it'd be like this: > > _sts._tcp SRV 0 0 443 sts-policy.example.com. No, SRV records break the security model, because untrusted DNS now supplies the reference identifier. The URI needs to be entirely determined from the nexthop domain with no insecure inputs. > The gross kludge is to use xn--sts0 as the tag, e.g. > > https://policy.xn--sts0.example.com/current > > The string "sts0" is deliberately invalid punycode, so while xn--sts0 > is a valid hostname label, it's not an A-label and will never appear > in an IDN hostname, Hence it's very unlikely to collide with other > uses. I hope I don't have to explain why it's a kludge. My CA will > sign it. I checked. This is not a good idea, such names will be rejected by some systems. -- Viktor. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
