On Wed, May 04, 2016 at 11:10:37PM -0000, John Levine wrote:
> So the answer is no, and that's why I expect there'd be a lot of
> heartburn if we wrote a spec that used a fixed label in a hostname,
> since as far as I can tell nobody's done that before. The IETF way to
> look up a hostname for a service is to use DNS SRV, and it's widely
> used. For example, approximately 100% of SIP providers use it. it
> works fine.
Yes, but layering security on SRV records absent DNSSEC is unsolved
problem. Your proposed solution is to require the target host to
sport a certificate for the service domain, rather than the target
hostname. Yes, that addresses the security gap, and can use a
reserved "_smtp-sts-policy" prefix rather than a fixed "smtp-sts-policy"
hostname prefix.
The downside that vanilla HTTPS libraries in their default validate
and retrieve mode can will no longer work without custom overrides
for certificate validation. I've seen that done incorrectly in
many creative ways, ...
At this juncture I think we've both explained our views and understand
each other. I think the rest is up to the draft authors and the
rest of the WG.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
