On Fri, May 04, 2018 at 05:19:46AM +0000, Viktor Dukhovni wrote:
On Thu, May 03, 2018 at 06:14:44PM -0700, Eric Rescorla wrote:
> 2. That at least one of the policy's "mx" patterns matches at least
> one of the identities presented in the MX's X.509 certificate, as
> described in "MX Certificate Validation".
IMPORTANT: This doesn't seem like quite what you want. Consider
the case where the STS policy has:
mx: mx1.example.com
mx: mx2.example.com
And I then attempt to send to mx1.example.com, send SNI=mx1.example.com,
and get a cert that is only valid for mx2.example.com.
[ This was discussed extensively in the WG. This part of the design
is substantially my doing... ]
For ease of reference, these are some of those discussions where people
(including me) raised concerns about the custom certificate matching:
https://www.ietf.org/mail-archive/web/uta/current/msg02195.html
https://www.ietf.org/mail-archive/web/uta/current/msg01922.html
https://www.ietf.org/mail-archive/web/uta/current/msg02308.html
Thanks,
Alberto
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
