On Thu, Oct 26, 2017 at 7:56 PM, Keith Moore <[email protected]> wrote:
> On 10/26/2017 07:18 PM, Chris Newman wrote: > > Line 304 > preference to services supporting STARTTLS (if offered). (See > also Section 4.5.) > I note that 6186 is kind of unclear on what should go in SNI. It obviously > needs to be what you are checking against (which 6186 gets right) but > maybe > it's worth clarifying in this document somewhere. > > Hmm. I might need to come back to that one. Lots of layers to sift > through. Feel free to suggest text. > > > I believe RFC 7817 handles this issue sufficiently. > > > Not sure whether EKR was referring specifically to the use of SNI with SRV > records or not, but that's what I had assumed he meant. So far I haven't > found any specific advice for (a) what name the MUA should specify in SNI, > or (b) what names the server should recognize and have certificates for. > It's pretty clear that the server needs to have a certificate for the name > on the right hand side of the SRV record, but should it also have a > certificate for the name on the left hand side? (e.g. _pop3s._ > tcp.example.com?) That would potentially make SRV discovery more > secure. > The entire principle here is that (absent DNSSEC) TLS operates on what was fed into the client. But I think that's well beyond what the WG (and IESG) approved. So I > guess I'm inclined to leave the -10 text as it is now without specifically > addressing this issue. > Hmm..... No, I don't think that that's good. IESG approval or not, this text needs to be clear and safe.... -Ekr > > Keith > >
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
