ietf-smtp
[Top] [All Lists]

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-21 04:37:26

On 16/11/2011 02:44, Robert A. Rosenberg wrote:

At 18:14 -0800 on 11/14/2011, Carl S. Gutekunst wrote about Re: Any interest in rigorous definition for SSL certificate:

Alexey Melnikov wrote:
>> ... one of the references for DANE -- RFC 6125 -- seems to be exactly
 what I was looking for. Unfortunately, it very deliberately codifies
 the language from RFC 2818 for wildcards, with the established
 practice for SMTP being a SHOULD NOT.
 Backward compatibility might be a sufficient reason to violate the
 SHOULD NOT.
I don't think it's that easy. The issue is with Email virtual hosting
implementations that embed the virtual domain name (or any token with
dots in it) in the MX record. For example, if you look up the MX record
for gutekunst.org, you'll see:

    gutekunst.org.        86382    IN    MX    100
    gutekunst.org.s8a1.psmtp.com.
    gutekunst.org.        86382    IN    MX    200
    gutekunst.org.s8a2.psmtp.com.
    [snip]

Postini's SSL certificate reads:

Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.psmtp.com
I would like to know how well this kind of SubjectName DN works for email clients. Do you have any information on this?
Why not use a Certificate with CN=*.*.s8??.psmtp.com (or whatever is needed to map the s8XX section) to solve this issue? - or is more than one wild card level invalid or having more than one certificate with different specificity levels also invalid?
I don't think "?" is allowed. Multiple wildcards are either disallowed or discouraged by RFC 5280.

<Prev in Thread] Current Thread [Next in Thread>