[Top] [All Lists]

Re: SMTP/TLS: Authentication of an SMTP server's identity

2004-05-07 11:34:53

--On Friday, 07 May, 2004 10:58 -0700 Russ Allbery <rra(_at_)Stanford(_dot_)edu> wrote:

Markus Stumpf <maex-lists-email-ietf-smtp(_at_)Space(_dot_)Net> writes:
On Thu, May 06, 2004 at 09:11:54PM -0700, Russ Allbery wrote:

I'm very suspicious of any place where TLS is done expecting
any certificate other than the one matching the name that
the user typed into their configuration or program, since it
opens an avenue for attack.

How about
    www.example.COM     CNAME   cname.example.ORG.
    cname.example.ORG   A

Will the browser complain or is it happy as long as
has a valid cert?

The browser will complain, in the absence of implementation by
both the server and the client of the new server_name TLS
extension, unless that web site actually presents a
certificate for

Didn't find a setup like that for the moment, so I can't
check myself, but maybe someone on this list knows one ...

This is the reason why you didn't find an example like that.
This is why web sites that require TLS have a separate IP
address for every host name.

Of course, their doing so defeats all of the effort that people put into getting HOST into HTTP, the position of sundry RIRs that assigning multiple addresses to one interface on a given host in order to work around poor protocol design was not justification for more addresses, etc. Sigh.

And I imagine that is part of the distinction Keith is trying to make. Whatever the other issues with MXs are, they are slightly different issues.