ietf
[Top] [All Lists]

Re: Last Call: <draft-ietf-uta-email-tls-certs-05.txt> (Updated TLS Server Identity Check Procedure for Email Related Protocols) to Proposed Standard

2015-11-28 09:32:48
Hi Alessandro,

On 27/11/2015 19:50, Alessandro Vesely wrote:
Hi

On Tue 24/Nov/2015 06:51:41 +0100 Viktor Dukhovni wrote: 

Section 3:

   1.  For DNS-ID and CN-ID identifier types the client MUST use one or
       more of the following as "reference identifiers": (a) the right
       hand side of the email address, (b) the hostname it used to open
       the connection (without CNAME canonicalization).  The client MAY
       also use (c) a value securely derived from (a) or (b), such as
       using "secure" DNSSEC validated lookup.

The problem here is that "the right hand side of the email address"
is not clearly defined, which email address?  It seems that the
email address in question here is that of the user (performing mail
submission or accessing his own mailbox).  Also I would replace
"right hand side" with "domain part" (RFC 5322 email addresses are
<localpart@domainpart>).

I quickly searched "vanity" in the list archive, to no avail.  Section 6 
misses
a case where mail.example.net also serves user(_at_)example(_dot_)com.

I added another example in section 6.

Some guidance on
how to check/configure vanity domains may be appropriate, IMHO.

If you can suggest some specific text, that would be great?

Best Regards,
Alexey

<Prev in Thread] Current Thread [Next in Thread>