Internet DRAFT - draft-laber-smtp-impt
draft-laber-smtp-impt
Network Working Group M. Laber
Internet-Draft 1&1
Intended status: Experimental September 8, 2014
Expires: March 12, 2015
Inter Mail Provider Trust (IMPT):
Mandatory use of Transport Layer Security (TLS)
with Simple Mail Transfer Protocol (SMTP)
draft-laber-smtp-impt-00
Abstract
This memo describes the protocol called Inter Mail Provider Trust
(IMPT) which ensures that a cryptographically secured communication
channel is always established with Transport Layer Security (TLS)
when delivering messages via Simple Mail Transfer Protocol (SMTP)
between Mail Transfer Agents (MTAs) of pre-registered participants.
Mainly the participants exchange SMTP routing information about their
MTA infrastructure for this purpose.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 12, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Laber Expires March 12, 2015 [Page 1]
�
Internet-Draft IMPT September 2014
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Status . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Transfer messages . . . . . . . . . . . . . . . . . . . . . . 4
3. List formats . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Participants list . . . . . . . . . . . . . . . . . . . . 5
3.2. MX infrastructure list . . . . . . . . . . . . . . . . . 6
3.3. Value Syntaxes . . . . . . . . . . . . . . . . . . . . . 8
3.3.1. Domain Names . . . . . . . . . . . . . . . . . . . . 8
3.3.2. IP Address Literals . . . . . . . . . . . . . . . . . 8
3.3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . 8
3.3.4. Digital signatures . . . . . . . . . . . . . . . . . 9
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Normative References . . . . . . . . . . . . . . . . . . 10
6.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12
A.1. Participants list . . . . . . . . . . . . . . . . . . . . 12
A.2. MX infrastructure list single participant . . . . . . . . 13
A.3. Aggregated MX infrastructure list . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
Most times Transport Layer Security (TLS) is used with Simple Mail
Transfer Protocol (SMTP) in a opportunistic manner which is subject
to possible down-grade attacks as described in [RFC3207], section 6.
This memo describes an approach to strictly mandate that an Mail
Transfer Agent (MTA) of a IMPT participant must use the SMTP
extension STARTTLS [RFC3207] to establish an encrypted connection
channel with TLS 1.2 [RFC5246] when transferring a message via SMTP
to another participant's MTA.
In opposite to other approaches IMPT also ensures that the receiving
MTA knows whether the sender must use TLS or not.
Out-of-band information is exchanged between pre-registered
participants for that purpose which is provided in the form of
optionally digitally signed JSON-based lists via HTTP over TLS
(HTTPS) (see Section 3).
Laber Expires March 12, 2015 [Page 2]
�
Internet-Draft IMPT September 2014
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The terms Internet Mail, Recipient, Message Transfer Agent (MTA) are
to be interpreted as described in [RFC5598].
Furthermore the following terms are used in this document:
Recipient domain:
Domain part of the [RFC5321] RCPT TO command forward path.
MX record:
DNS resource record which is used to locate the MTA for a
recipient domain as described in [RFC1035], section 3.3.9.
MX hostname:
DNS hostname of the inbound MTA for a recipient domain determined
by rules defined in [RFC5321], section 5.
MX address:
The IP address of the MX hostname determined by looking up the
associated A or AAAA resource records in DNS.
IMPT participant (or only participant):
Organization or individual which is running mail services for own
use or on behalf of others (hosting provider) which are compliant
to the protocol described herein.
JSON object:
JSON object consisting of name/value pairs (or members) as defined
in [RFC7159], section 4.
JSON array:
JSON array as defined in [RFC7159], section 5.
JSON lists:
Different types of JSON formatted lists are defined in Section 3.
1.2. Status
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
Laber Expires March 12, 2015 [Page 3]
�
Internet-Draft IMPT September 2014
2. Transfer messages
When transferring an Internet Mail message an outbound MTA MUST use
STARTTLS [RFC3207] to establish an encrypted TLS connection if the MX
hostname appears as name of an MTA object in at least one participant
MX infrastructure list (see Section 3.2).
The outbound MTA (TLS client) MUST authenticate itself to the inbound
MTA (TLS server) with a TLS client certificate ([RFC5246], section-
7.4.6) published in its MTA object with <role> "outbound"
Section 3.2, Paragraph 5.
Furthermore, in case of an error occuring while establishing the TLS
connection, the outbound MTA MUST NOT fall back to clear-text
transport. Rather, TLS connection failure MUST be treated like an
temporary SMTP failure and message SHOULD be queued for retrying
transfer later ([RFC5321], section 4.5.4).
The outbound MTA (TLS client) MUST implement the TLS hostname check
as detailed in [RFC6125]. The outbound MTA MUST accept at least the
MX hostname As server identity. It MAY additionally accept the
recipient domain as server identity.
The inbound/receiving MTA (TLS server) MUST check whether the
sender's IP address is found in an MTA object. If the IP address is
found in an MTA object the sender MUST refuse to accept clear-text
(non-TLS) connections from this IP address. Futhermore the inbound/
receiving MTA MUST check whether the client certificate used by the
outbound/sending MTA matches one of the certificates referenced by
value <cert_ref> in the MTA object (Section 3.2, Paragraph 5).
3. List formats
There are three sorts of JSON lists all of which MUST be made
publicly accessible:
Participant list:
Holds contact information and a reference link to MX
infrastructure list of each trusted participant. This list MAY be
stored in a central location but each participant provides a copy
of this list for download which SHOULD be considered local
configuration. The format is specified in Section 3.1.
Participant MX infrastructure list:
Describes own MX infrastructure of a single participant including
all incoming and out-going MTAs for which use of transport
security with TLS is mandatory. It contains host names, IP
Laber Expires March 12, 2015 [Page 4]
�
Internet-Draft IMPT September 2014
addresses and X.509 client and server certificates actually used
(see Section 3.2).
Aggregated MX infrastructure list:
An MX infrastructure list (Section 3.2) containing the mirrored
JSON MX infrastructure objects of all participants.
The lists are provided for public download via HTTP over TLS (HTTPS)
[RFC2818] in JSON format with character encoding UTF-8 and the web
service MUST send MIME type application/json [RFC7159].
Each participant MUST publish its own participant MX infrastructure
list with path name "mxinfra.json" and an aggregated MX
infrastructure list with path name "mxinfra-all.json". The complete
HTTPS URL for downloading these MX infrastructure lists is composed
by appending the path name to the value <base_url> in the participant
object (Section 3.1, Paragraph 5).
Applications MUST accept object names and values in arrays in
arbitrary order. If an implementation sees any parsing failure or
any data within a JSON list is considered invalid or incomplete the
whole list MUST be considered invalid and MUST NOT be used at all.
The top-level value <format_version> is present in all lists
indicating the version of the list syntax. For now <format_version>
is always set to the JSON number 1.
The top-level value <timestamp> is present in all lists indicating
the creation time of either the whole list file or a nested object as
detailed in Section 3.3.3.
The following sections describe the JSON format of the list files in
detail starting with some general implementation considerations.
3.1. Participants list
This section describes the format of the central participants list.
While downloadable from a central location the participants list is
considered rather a-priori configuration.
Each participant is registered with a so-called IMPT base domain
which MUST be a valid DNS domain registered for the participant.
The IMPT base domain is used in the object <domains> as name for a
single JSON participant object following the rules in Section 3.3.1.
The values in a JSON participant object are as follows:
Laber Expires March 12, 2015 [Page 5]
�
Internet-Draft IMPT September 2014
contract_date
This value contains the date of the registration contract in
format YYYY-MM-DD as defined in [ISO.8601.1988].
contract_org
Legally bound name of the participant's organization.
base_url
Base URL (HTTPS) with trailing slash "/" for forming URL to
download the MX infrastructure lists from the participant's HTTPS
server.
contact_phone
Public phone number for support requests, abuse notices or similar
in international phone number format as specified in [E.123].
contact_email
Public e-mail address for support requests, abuse notices or
similar in format specified in [RFC5322].
not_before
Timestamp after which this participant is active and implements
all the provisions made in this document. Especially if
<not_before> lies in the future MX infrastructure lists from this
participant are still considered invalid and MUST NOT be used.
The format is specified in Section 3.3.3.
not_after
Timestamp after which this participant is not active anymore.
Especially if <not_after> lies in the past MX infrastructure lists
from this participant are all considered invalid and MUST NOT be
used anymore. The format is specified in Section 3.3.3.
3.2. MX infrastructure list
This section describes the format and usage of the MX infrastructure
list which describes the inbound and outbound MTAs of a participant.
Participants MUST re-new their local copy of all loaded MX
infrastructure lists at least every 15 minutes.
The IMPT base domain names of the participant who generated the list
SHALL be used in the object <domains> as name for a single JSON MX
infrastructure object following the rules in Section 3.3.1. If
<domains> contains a domain name which is not registered in the
participant list the whole MX infrastructure list MUST be rejected as
invalid.
Laber Expires March 12, 2015 [Page 6]
�
Internet-Draft IMPT September 2014
The values in a JSON MX infrastructure object are as follows:
timestamp
Contains a timestamp as described in Section 3.3.3.
Within the participant MX infrastructure list this is the same
timestamp like in outer value <timestamp>.
Within an aggregated MX infrastructure list this is a copy of the
value <timestamp> in the original participant MX infrastructure.
cert_list
This JSON object contains one or more arrays of certificate data.
The name can be randomly chosen by the generator of the list but
has to be unique with <cert_list> object. The binary X.509
certificates are stored as base64-encoded strings [RFC4648].
mx
This object MUST contain MTA objects for all inbound and outbound
MTAs of the participant, possibly used for different recipient
domains, referenced by the publicly visible MX hostname as object
name. This object MAY contain MTA objects with names not yet
listed in the MX RR of a domain. This allows to announce new MTAs
in the MX infrastructure list before actually using them.
The MTA object's name is the MX hostname of the MTA. The values in a
JSON MTA object are as follows:
hostname
MX hostname of MTA as fully-qualified domain name (FQDN) following
the rules in Section 3.3.1. An MX hostname MUST NOT be used more
than once for <role> "inbound".
ip_addrs
Array of IPv4 and/or IPv6 addresses as string representations
following the rules in Section 3.3.2.
cert_ref
Names of values in JSON object <cert_list>. Since the same X.509
certificate may be used by more than one MTA the same reference
name MAY be used more than once. Implementations reading a MX
infrastructure list MUST check whether the MTA object's name,
equal to the MX hostname, matches the certificate by implementing
the hostname check described in [RFC6125].
role
Role of MTA, either "inbound" or "outbound".
Laber Expires March 12, 2015 [Page 7]
�
Internet-Draft IMPT September 2014
Role "inbound" means that this MTA accepts connections from other
MTAs. Regarding TLS this is a TLS server and the used
certificates SHALL be treated as TLS server certificates.
Role "outbound" means that this MTA opens connections to other
MTAs. Regarding this is a TLS client and the used certificates
SHALL be treated as TLS client certificates.
3.3. Value Syntaxes
This section details some syntax rules which conforming
implementations MUST follow when generating values in the JSON lists.
3.3.1. Domain Names
All domains names MUST be stored only with US-ASCII characters
[ANSI.X3-4.1986] without a trailing dot and normalized to lower-case
characters.
Hence internationalized domain names MUST be stored using the A-label
form as defined in [RFC5890].
3.3.2. IP Address Literals
The JSON lists contain IPv4 and/or IPv6 addresses to be compared to
connection information. For secure comparison of those addresses
address literals have to be stored with a uniquely comparable string
representation.
To avoid any misinterpretation the following stricter string
representations MUST be used when generating the JSON lists:
All IPv4 addresses MUST be stored in strict IPv4 dotted-decimal form
ddd.ddd.ddd.ddd
where <ddd> is a one to three digit decimal number between 0 and 255
without non-significant leading zero digits.
All IPv6 addresses MUST be stored in a normalized text representation
as defined in [RFC5952].
3.3.3. Timestamps
All timestamps MUST be stored in format YYYYMMDDhhmmssZ. This format
is formally specified as LDAP syntax "Generalized Time" in [RFC4517],
section 3.3.13.
The time zone is always coordinated universal time (UTC), equivalent
to Greenwich Mean Time (GMT) as indicated by the trailing capital
Laber Expires March 12, 2015 [Page 8]
�
Internet-Draft IMPT September 2014
letter "Z". IMPT implementations MUST only use the "Z" form of <g-
time-zone> excluding fractions of seconds.
The object member <timestamp> in a JSON list MUST contain the
timestamp of the last update to that list.
A participant list or a participant MX infrastructure list SHOULD
only be generated if the list content actually has been changed.
Consumers of these lists MUST NOT solely rely on a more recent
timestamp value to detect whether there have been changes made to a
list or not. They SHOULD always compare the read JSON with a prior
locally stored version.
3.3.4. Digital signatures
The JSON lists SHOULD be digitally signed. In this case a detached
signature CMS [RFC5652] MUST be used and stored in a separate file.
The signature file name is constructed from the list file name by
appending the suffix ".p7s".
Text normalization, e.g. for line-endings or white-spaces, MUST NOT
be used when generating or validating the signature. Instead
implementations MUST treat JSON lists as single octet strings when
generating or validating the signature.
Proper handling of different line-endings and white-spacing is left
to the JSON parser implementations. Therefore digital signature
verification MUST be performed before parsing the JSON file.
4. IANA Considerations
There are no identifiers defined herein to be reserved by IANA.
5. Security Considerations
Typically a message is submitted by an e-mail sender to a mail relay
and the message is transmitted over several hops. But the mechanism
described herein only assures that an encrypted connection is
established between two IMPT-conforming MTAs. Therefore the use of
secure transport channels cannot guaranteed for the whole
transmission of the message. So the e-mail user is encouraged to use
other end-to-end encryption mechanisms as well.
Implementors SHOULD carefully consider the best practices for using
TLS as described in [I-D.ietf-uta-tls-bcp].
Laber Expires March 12, 2015 [Page 9]
�
Internet-Draft IMPT September 2014
For all TLS connections the TLS client MUST perform the TLS hostname
check as described in [RFC6125]. In particular when downloading the
JSON lists the HTTPS client has to verify the server identity as
described in [RFC2818], section 3.1.
All implementations MUST correctly perform:
Full X.509 certificate validation as described in [RFC5280],
section 6.
A proper revocation check against the CRL referred in the X.509v3
extension <cRLDistributionPoints> of the certificate to be
validated.
Participants SHOULD carefully monitor the MX infrastructure lists by
comparing whether all own MTA objects correctly and timely appear in
the aggregated MX infrastructure lists mirroring all the MTA objects.
Abnormal deviations SHOULD be properly alerted.
Implementations MAY use certificate pinning for off-loading
revocation checks to an external process.
Implementations SHOULD be aware of all the subtle issues when
comparing string representations of various identifiers such as
hostnames or addresses for security related decisions, specifically
when creating and interpreting the JSON lists defined herein. See
[RFC6943] for a more detailed problem description.
6. References
6.1. Normative References
[ANSI.X3-4.1986]
American National Standards Institute, "Coded Character
Set - 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986.
[E.123] International Telecommunication Union (ITU), "ITU-T Rec.
E.123: Notation for national and international telephone
numbers", November 1988.
[ISO.8601.1988]
International Organization for Standardization, "Data
elements and interchange formats - Information interchange
- Representation of dates and times", ISO Standard 8601,
June 1988.
Laber Expires March 12, 2015 [Page 10]
�
Internet-Draft IMPT September 2014
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, February 2002.
[RFC4517] Legg, S., "Lightweight Directory Access Protocol (LDAP):
Syntaxes and Matching Rules", RFC 4517, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
October 2008.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, September 2009.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952, August 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
Laber Expires March 12, 2015 [Page 11]
�
Internet-Draft IMPT September 2014
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014.
6.2. Informative References
[I-D.ietf-uta-tls-bcp]
Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of TLS and DTLS", draft-
ietf-uta-tls-bcp-01 (work in progress), June 2014.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849, July 2004.
[RFC5378] Bradner, S. and J. Contreras, "Rights Contributors Provide
to the IETF Trust", BCP 78, RFC 5378, November 2008.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
2009.
[RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
Reserved for Documentation", RFC 5737, January 2010.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, February 2013.
[RFC6943] Thaler, D., "Issues in Identifier Comparison for Security
Purposes", RFC 6943, May 2013.
Appendix A. Examples
This section contains example JSON lists. Domain names and IPv4/IPv6
addresses are taken from reserved documentation name/address space as
detailed in [RFC6761] [RFC3849] [RFC5737].
A.1. Participants list
This is a example participants list containing two base domains
example.com and example.net:
Laber Expires March 12, 2015 [Page 12]
�
Internet-Draft IMPT September 2014
{
"format_version": 1,
"timestamp": "20140305151906Z"
"domains": {
"example.com": {
"contract_date": "2013-08-09",
"contract_org": "ACME Org.",
"base_url": "https://impt.example.com/impt/",
"contact_phone": "+49 6151 672637623",
"contact_email": "impt@example.com",
"not_before": "20130809000000Z"
},
"example.net": {
"contract_date": "2014-02-11",
"contract_org": "ACME Agency",
"base_url": "https://foo.example.net/bar/",
"contact_phone": "+1 673 78274872224",
"contact_email": "impt-admins@example.net",
"not_before": "20140221000000Z"
"not_after": "20160809000000Z",
},
},
}
A.2. MX infrastructure list single participant
This example shows an MX infrastructure list of a single participant
with two base domains "example.com" and "example.net".
Example download URL:
https://impt.example.com/impt/mxinfra.json
Example signature URL:
https://impt.example.com/impt/mxinfra.json.p7s
Note that all <timestamp> values are equal in this case. For
simplicity certificate values are shortened.
Laber Expires March 12, 2015 [Page 13]
�
Internet-Draft IMPT September 2014
{
"format_version": 1,
"timestamp": "20140305134955Z"
"domains": {
"example.com": {
"timestamp": "20140305134955Z"
"cert_list" : {
"mx00" : ["MII..","MII..",],
"mx01" : ["MII..","MII..",]
},
"mx": [
{
"hostname": "mx00.foo.example.com",
"ip_addrs": [ "128.66.134.8" ],
"cert_ref": "mx00",
"role": "inbound"
},
{
"hostname": "mx01.bar.example.com",
"ip_addrs": [ "128.66.134.72", "2001:DB8:20a:42:2323::1" ],
"cert_ref": "mx01",
"role": "inbound"
},
}
"example.net": {
"timestamp": "20140305134955Z"
"cert_list" : {
"foo" : ["MII..","MII..",],
"bar" : ["MII..","MII..",]
},
"mx": [
{
"hostname": "foo23.example.net",
"ip_addrs": [ "42.23.134.8", "2001:db8::2:1" ],
"cert_ref": "foo",
"role": "inbound"
},
{
"hostname": "bar42.example.net",
"ip_addrs": [ "42.23.134.72", "2001:db8::2:2" ],
"cert_ref": "bar",
"role": "inbound"
},
}
},
}
Laber Expires March 12, 2015 [Page 14]
�
Internet-Draft IMPT September 2014
A.3. Aggregated MX infrastructure list
This example shows an aggregated MX infrastructure list of with two
base domains "example.com" and "example.net" of different
participants.
Example download URL:
https://impt.example.com/impt/mxinfra-all.json
Example signature URL:
https://impt.example.com/impt/mxinfra-all.json.p7s
Note that in this case all <timestamp> values are different because
the inner values were copied from the source participant MX
infrastructure list. For simplicity certificate values are
shortened.
Laber Expires March 12, 2015 [Page 15]
�
Internet-Draft IMPT September 2014
{
"format_version": 1,
"timestamp": "20140305134955Z"
"domains": {
"example.com": {
"timestamp": "20140303112227Z"
"cert_list" : {
"mx00" : ["MII..","MII..",],
"mx01" : ["MII..","MII..",]
},
"mx": [
{
"hostname": "mx00.foo.example.com",
"ip_addrs": [ "149.53.134.8" ],
"cert_ref": "mx00",
"role": "inbound"
},
{
"hostname": "mx01.bar.example.com",
"ip_addrs": [ "128.66.134.72", "2001:DB8:20a:42:2323::1" ],
"cert_ref": "mx01",
"role": "inbound"
},
}
"example.net": {
"timestamp": "20140301124257Z"
"cert_list" : {
"foo" : ["MII..","MII..",],
"bar" : ["MII..","MII..",]
},
"mx": [
{
"hostname": "foo23.example.net",
"ip_addrs": [ "42.23.134.8", "2001:db8::2:1" ],
"cert_ref": "foo",
"role": "inbound"
},
{
"hostname": "bar42.example.net",
"ip_addrs": [ "42.23.134.72", "2001:db8::2:2" ],
"cert_ref": "bar",
"role": "inbound"
},
}
},
}
Laber Expires March 12, 2015 [Page 16]
�
Internet-Draft IMPT September 2014
Author's Address
Markus Laber
1&1 Internet AG
Brauerstr. 48
Karlsruhe 76137
DE
Email: markus.laber@1und1.de
URI: http://www.1und1.de
Laber Expires March 12, 2015 [Page 17]
