On 22/10/2023 16:08, Slavko via mailop wrote:
Hmm, and what about MUAs?
Without MUA-STS, it's up to the MUAs and only MUAs to enforce connection security. The next step after that would be some kind of pinning.
Some have suggested DANE+DNSSEC, but DNSSEC operators can be coerced just as much as hosting providers can be, but unlike with WebPKI, it wouldn't even leave a publicly visible trace amongst other problems. TOFU schemes in that sense have worked better in real life scenarios (but obviously come with other downsides).
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
