[Top] [All Lists]

Re: [dane] draft-fanf-dane-smtp

2012-05-27 18:22:56

James Cloos wrote:
I've read the draft now.  It looks good.

§3 specifies that the hostname MUST be in the cert as an DNS-ID and
also MAY be there as a CN-ID.

I suspect there are enough MXs in use still using certs generated (with
long validity periods) which were genreated back when only CN was used
for the dns names.

How this this apply to use usage of global wildcard certs? in additional, not a CA wildcard signed cert, but a unique domain?

For example, I use for our HTTPS (web site) SSL for eCommence mainly, but since the FTP, SMTP, POP, NNTP and TELNET servers is running on the same machine so I use the same cert for their TLS capabilities or specific implicit SSL ports, if any, as well.

If a TLSA record allows for an server authorized association of the with the connecting host name, then I can see some worth in this dane-smtp proposal - from the client POV seeking a higher level of security.


<Prev in Thread] Current Thread [Next in Thread>