Cyrus Daboo wrote:
So, the "connect the dots" is to:
- Announce the fact example.com is hosted at calendarserverfoobar.com
(with some URL) in DNS
- Secure that announcement in DNS with DNSSEC
- Verify the SSL (for example) cert for the connection to
calendarserverfoobar.com matches
So the srv-caldav (and srv-email) drafts reference Section 3 of
draft-saintandre-tls-server-id-check which describes how clients can go
about verifying a server identity when using TLS under various
circumstances, including an initial discovery via SRV records.
- Do application layer authentication etc over the then encrypted
connection
Sounds ok?
Well the key here is DNSSEC of course!
Absolutely. Without DNSSEC verification by the client,
there is zero security when DNS SRV records are used to
determine the hostname of the server.
It took many many years from the DNSSEC spec to
the creation of secure DNS zones in the DNS root.
It'll take at least 5 years before the average client will be
able to receive and verify DNSSEC records through the ubiquituous
middle-boxes that seperate most PCs from the internet.
Is this about a spec with a "to be opened/used not before 2015" label?
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf