wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Explain the reasons why <hostname> TLS certificate is needed rather than <delegated_hostname> for SRV delegation. (#3322)

Browse source 
Signed-off-by: Niels Basjes <niels@basjes.nl>
This commit is contained in:
Niels Basjes 2021-08-10 13:51:29 +02:00 committed by Richard van der Hoff
parent 19a96c2484
commit cf5b519963
2 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelogs/server_server/newsfragments/3322.clarification Normal file
View file

@ -0,0 +1 @@
Explain the reasons why `<hostname>` TLS certificate is needed rather than `<delegated_hostname>` for SRV delegation.

9
content/server-server-api.md
View file

@ -134,6 +134,15 @@ to send. The process overall is as follows:
8448 and a `Host` header containing the `<hostname>`. The target 8448 and a `Host` header containing the `<hostname>`. The target
server must present a valid certificate for `<hostname>`. server must present a valid certificate for `<hostname>`.
{{% boxes/note %}}
The reasons we require `<hostname>` rather than `<delegated_hostname>` for SRV
delegation are:
1. DNS is insecure (not all domains have DNSSEC), so the target of the delegation
must prove that it is a valid delegate for `<hostname>` via TLS.
2. Consistency with the recommendations in [RFC6125](https://datatracker.ietf.org/doc/html/rfc6125#section-6.2.1)
and other applications using SRV records such [XMPP](https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1).
{{% /boxes/note %}}
The TLS certificate provided by the target server must be signed by a The TLS certificate provided by the target server must be signed by a
known Certificate Authority. Servers are ultimately responsible for known Certificate Authority. Servers are ultimately responsible for
determining the trusted Certificate Authorities, however are strongly determining the trusted Certificate Authorities, however are strongly