On Wed, Mar 06, 2013 at 10:54:20PM +0100, Jakob Schlyter wrote:
> On 6 mar 2013, at 19:20, Viktor Dukhovni <[email protected]> wrote:
>
> > This is very unlikely to be implemented in Postfix. It is predicated
> > on an API change in OpenSSL to allow it to return bare public keys
> > for the peer certificate.
>
> FWIW, there is work going on for implementing DANE in OpenSSL.
Any support for DANE in OpenSSL is exceedingly unlikely to be useful
to Postfix.
The changes to the SSL_verify callback required to support DANE
certificate usage 2 were quite easy and are already done. Postfix
already has support for end-entity certificate verification.
The Postfix verify callback also has to support pre-DANE
administrator implemented TLS security policy (destination
specific CAs, fingerprints, and matching rules).
All that remains to be added is support for hybrid policies where
some TLSA records provide EE cert information and other TLSA records
provide TA cert information.
Postfix will need a new security level which is a hybrid of
"fingerprint" and "verify" matching either a set of TA certs or a
set of "EE" certs. This is easy.
The trickiest part will be integrating all of this with the MX
resolution and connection retry logic. OpenSSL won't be of any
help there.
> I suggest you wait for this before moving forward.
Thanks, but I'm moving ahead independently.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
