James Cloos wrote:
I've read the draft now. It looks good.
§3 specifies that the hostname MUST be in the cert as an DNS-ID and
also MAY be there as a CN-ID.
I suspect there are enough MXs in use still using certs generated (with
long validity periods) which were genreated back when only CN was used
for the dns names.
How this this apply to use usage of global wildcard certs? in
additional, not a CA wildcard signed cert, but a unique domain?
For example, I use secure.winserver.com for our HTTPS (web site) SSL
for eCommence mainly, but since the FTP, SMTP, POP, NNTP and TELNET
servers is running on the same machine so I use the same cert for
their TLS capabilities or specific implicit SSL ports, if any, as well.
If a TLSA record allows for an server authorized association of the
CN=secure.winserver.com with the connecting host name, then I can see
some worth in this dane-smtp proposal - from the client POV seeking a
higher level of security.
--
HLS