Hi, As a developer for an email security gateway, I'm all in favor of validating the SAN instead of the CN on the SMTP level.
And though SMTP mostly uses opportunistic TLS, mandatory use of TLS is increasing with more people adopting MTA-STS. Now, the proposed RFC is specifically scoped to TLS certificates. I think pushing the same thing for SMIME certificates would also be useful. Kind regards, Henning > -----Original Message----- > From: Uta [mailto:uta-boun...@ietf.org] On Behalf Of Viktor Dukhovni > Sent: Montag, 15. März 2021 11:32 > To: uta@ietf.org > Subject: Re: [Uta] Adoption of draft-rsalz-use-san > > > On Mar 15, 2021, at 7:58 AM, Eliot Lear <lear=40cisco....@dmarc.ietf.org> > wrote: > > > > Architecturally, Rich is nailing it. We should be encouraging the use of > SANs. However, use of SANs beyond the scope of the web may not be > entirely ubiquitous, and so we should either be a bit more targeted, or slow > roll the other uses with some backward compatibility language. Personally I > like the latter approach. We shouldn’t hold up deprecation across the web > due to the other uses, but we should encourage those other uses to move > off of subject. > > > > If Rich and others are ok with that, I’m all for adoption. > > Certificates are barely checked in SMTP at all (opportunistic and at that), > but > to the extent that they are, I am not aware of anyone who's got meaningful > certificates that only have a matching CN and no matching SAN. > > It is fine to deprecate the requirement to support CNs in the absence of a > DNS-ID SAN also for SMTP (not just Web). Long overdue. > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
