ietf
[Top] [All Lists]

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

2008-11-14 02:13:55

In message 
<alpine(_dot_)LRH(_dot_)2(_dot_)00(_dot_)0811140811531(_dot_)5889(_at_)netcore(_dot_)fi>,
 Pekka Savola writes:
On Fri, 14 Nov 2008, Mark Andrews wrote:
In message 
<alpine(_dot_)LSU(_dot_)2(_dot_)00(_dot_)0811131135530(_dot_)14367(_at_)hermes-1(_dot_)csi(_dot_)cam(_dot_)ac(_dot_)uk>,
 Tony F 
inch writes:
You also need the server to provide a verifiable TLS certificate. 
The vast majority of them are not. This problem is perhaps even 
harder to fix than the lack of DNSSEC.

    Just use DNSSEC and CERT records to do that.
...>
    If self signed, look in the DNS for the CERT.  Accept if
    signed and validated by DNSSEC.

How does an application do "accept if signed and validated by DNSSEC"?

        You validate the CERT RRset using the techniques in RFC
        4033, 4034 and 4035.  If the answer is "secure" then it was
        signed and validated.  You the match offered cert to the CERT
        RRs using the information from RFC 4398.

        Do you need more detail or is that enough guidance?

        Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf