> Il 27 luglio 2017 alle 23.48 Brandon Long via mailop <mailop@mailop.org> ha > scritto: > > Well, yes, that is the DANE argument in a nutshell. That doesn't mean > it's correct, and there are reasons why DANE was not the solution chosen for > the browser market. >
Can I ask which ones? I thought it was mostly because HTTPS is much older than DANE. At the same time, however, I do find the arguments in RFC 7672 reasonable: for an automated, non-interactive, high volume application, having a method that removes any need for real time management of exceptions by a user/administrator is paramount. Also, there is an important difference that RFC 7672 does not mention: in email, your task is to deliver the message to the domain name contained in the destination address. No assumption is made by the email service on the real world identity of the address owner or of the owner of his email domain, and there would be no one to show this information to anyway, so the additional value of CAs - verifying identities in the real world - is almost useless; on the other hand, an automated system that verifies that the server establishing the connection really belongs to that domain name is spot on. On the Web, instead, users do want to know which company is actually running the website that they are visiting, and not just that they are really connecting to that hostname, so CAs offer additional value in respect to DANE. However, I also think that the point about the inherent weaknesses of the security of the CA model is valid. We have seen so many failures and security breaches, and if you couple them with the fact that a single broken CA is enough to break security for everyone everywhere, IMHO finding a different system whenever the "real world validation" part is not particularly necessary is a good plan. Regards, -- Vittorio Bertola Research & Innovation Engineer Cell: +39 348 7015022 Skype: in-skype...@bertola.eu Email: vittorio.bert...@open-xchange.com mailto:vittorio.bert...@open-xchange.com Twitter: @openexchange http://twitter.com/openexchange - Facebook: OpenXchange https://www.facebook.com/OpenXchange - Web: www.open-xchange.com http://www.open-xchange.com Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738 Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein Chairman of the Board: Richard Seibt European Office: Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 Managing Directors: Frank Hoberg, Martin Kauss US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
