Cyrus Daboo wrote: > > > So, the "connect the dots" is to: > > > > - Announce the fact example.com is hosted at calendarserverfoobar.com > > (with some URL) in DNS > > > > - Secure that announcement in DNS with DNSSEC > > > > - Verify the SSL (for example) cert for the connection to > > calendarserverfoobar.com matches > > So the srv-caldav (and srv-email) drafts reference Section 3 of > draft-saintandre-tls-server-id-check which describes how clients can go > about verifying a server identity when using TLS under various > circumstances, including an initial discovery via SRV records. > > > - Do application layer authentication etc over the then encrypted > > connection > > > > Sounds ok? > > Well the key here is DNSSEC of course! Absolutely. Without DNSSEC verification by the client, there is zero security when DNS SRV records are used to determine the hostname of the server. It took many many years from the DNSSEC spec to the creation of secure DNS zones in the DNS root. It'll take at least 5 years before the average client will be able to receive and verify DNSSEC records through the ubiquituous middle-boxes that seperate most PCs from the internet. Is this about a spec with a "to be opened/used not before 2015" label? -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf