Ross Tajvar via mailop <mailop@mailop.org> (Fr 12 Jul 2019 04:12:13 CEST): > >For mail clients this question isn't relevant, if this is meant as > >"MUA", since MUAs normally talk to their submission hosts, and often do > >certificate checking similar to that what HTTPS clients do: compare the > >certificate's CN, and SAN with the hostname they connect to and verify > >the certificate against locally stored trusted CAs. > Not sure how that makes it irrelevant. Just like in HTTPS clients, DANE > provides an additional layer of validation. I.e. with DANE you can check > for a specific cert fingerprint vs with normal validation you trust any > valid matching cert issued by any trusted CA. In my view, DANE would be > useful in mail clients. Just not sure if any actually use it.
Yes, undoubtly, it *would* be a good move, to use DANE as an additional
(or in some cases only) server validation method. I think of pure
internal submission hosts, having no publicly trusted CA (plus some
reason not to deploy the private CA to the clients).
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
signature.asc
Description: PGP signature
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
