[Top] [All Lists]

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-15 21:02:46

At 18:14 -0800 on 11/14/2011, Carl S. Gutekunst wrote about Re: Any interest in rigorous definition for SSL certificate:

Alexey Melnikov wrote:
 >> ... one of the references for DANE -- RFC 6125 -- seems to be exactly
 what I was looking for. Unfortunately, it very deliberately codifies
 the language from RFC 2818 for wildcards, with the established
 practice for SMTP being a SHOULD NOT.
 Backward compatibility might be a sufficient reason to violate the

I don't think it's that easy. The issue is with Email virtual hosting
implementations that embed the virtual domain name (or any token with
dots in it) in the MX record. For example, if you look up the MX record
for, you'll see:        86382    IN    MX    100        86382    IN    MX    200

Postini's SSL certificate reads:

Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*

Why not use a Certificate with CN=*.*.s8?? (or whatever is needed to map the s8XX section) to solve this issue? - or is more than one wild card level invalid or having more than one certificate with different specificity levels also invalid?

<Prev in Thread] Current Thread [Next in Thread>