ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-15 21:02:46
from [Robert A. Rosenberg] [Permanent Link]
At 18:14 -0800 on 11/14/2011, Carl S. Gutekunst wrote about Re: Any interest in rigorous definition for SSL certificate: 


Alexey Melnikov wrote:
 >> ... one of the references for DANE -- RFC 6125 -- seems to be exactly

 what I was looking for. Unfortunately, it very deliberately codifies
 the language from RFC 2818 for wildcards, with the established
 practice for SMTP being a SHOULD NOT.

 Backward compatibility might be a sufficient reason to violate the
 SHOULD NOT.


I don't think it's that easy. The issue is with Email virtual hosting
implementations that embed the virtual domain name (or any token with
dots in it) in the MX record. For example, if you look up the MX record
for gutekunst.org, you'll see:

    gutekunst.org.        86382    IN    MX    100
    gutekunst.org.s8a1.psmtp.com.
    gutekunst.org.        86382    IN    MX    200
    gutekunst.org.s8a2.psmtp.com.
    [snip]

Postini's SSL certificate reads:
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.psmtp.com
Why not use a Certificate with CN=*.*.s8??.psmtp.com (or whatever is needed to map the s8XX section) to solve this issue? - or is more than one wild card level invalid or having more than one certificate with different specificity levels also invalid?
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Any interest in rigorous definition for SSL certificate verification in SMTP?, Tony Finch
Next by Date:  Re: Any interest in rigorous definition for SSL certificate verification in SMTP?, Carl S. Gutekunst
Previous by Thread:  SMTP TLS and CN Domain Matching, Hector Santos
Next by Thread:  Re: Any interest in rigorous definition for SSL certificate verification in SMTP?, Carl S. Gutekunst
Indexes:  [Date] [Thread] [Top] [All Lists]