--On Friday, 07 May, 2004 10:58 -0700 Russ Allbery
<rra(_at_)Stanford(_dot_)edu> wrote:
Markus Stumpf <maex-lists-email-ietf-smtp(_at_)Space(_dot_)Net> writes:
On Thu, May 06, 2004 at 09:11:54PM -0700, Russ Allbery wrote:
I'm very suspicious of any place where TLS is done expecting
any certificate other than the one matching the name that
the user typed into their configuration or program, since it
opens an avenue for attack.
How about
www.example.COM CNAME cname.example.ORG.
cname.example.ORG A 10.0.0.1
https://www.example.com/
Will the browser complain or is it happy as long as
cname.example.com
has a valid cert?
The browser will complain, in the absence of implementation by
both the server and the client of the new server_name TLS
extension, unless that web site actually presents a
certificate for www.example.com.
Didn't find a setup like that for the moment, so I can't
check myself, but maybe someone on this list knows one ...
This is the reason why you didn't find an example like that.
This is why web sites that require TLS have a separate IP
address for every host name.
Of course, their doing so defeats all of the effort that people
put into getting HOST into HTTP, the position of sundry RIRs
that assigning multiple addresses to one interface on a given
host in order to work around poor protocol design was not
justification for more addresses, etc. Sigh.
And I imagine that is part of the distinction Keith is trying to
make. Whatever the other issues with MXs are, they are slightly
different issues.
john