On Tue, Jan 24, 2023 at 10:41:08PM -0800, Rob Sayre wrote:
> Then, I would match any mention of "web browsers" with examples of
> implementations that do things another way. I suspect this approach might
> make for difficult writing, because I don't think anyone diverges from the
> browser approach. If I'm wrong here, I'd be happy to see it documented.
Which practices did you have in mind here, in terms of potential
differences from practices in browsers? To find substantially different
practice, you probably need to look at industrial automation networks,
and some IoT applications. Postfix probably occupies a space on the
spectrum between browsers and SCADA.
- Postfix supports and prefers (when TLS <= 1.2) anon-DH in
unauthenticated opportunistic connections, but this is of course
outside the scope of RFC6125bis.
- Postfix also supports DANE TLSA with DANE-EE(3) TLSA records with the
reference identifiers in the server certificate entirely ignored in
that case. Again, not like browsers, but of scope.
Indeed support for raw public keys (authenticated via DANE-EE(3)
SPKI(1) TLSA records when applicable) is now code-complete, waiting
for the OpenSSL PR to be included in a future OpenSSL 3.2. RPK is
the closest I can get to anon-DH with TLS 1.3. There are today two
MTAs on the Internet that support RPK. I operate both. :-)
- Postfix allows MTA administrators to configure wildcard *reference*
identifiers (note, these are NOT wildcards in the certificate, rather
they are locally configured subdomain suffixes that match any name in
ending in that that suffix). This is somewhat in the ballpark.
- Multiple reference identifiers are somewhat common, e.g. a list
of MX hostnames, or a subdomain suffix they all share (and thus
also any other sibling host).
- IDNA support is based on UTS-46.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
