John:
> > - DNSSEC: a man-in-the-middle hardened means of publishing DNS data.
> >
> > - DANE: an IETF working group to develop standards for using DNSSEC
> > to publish authentication information (public keys and the like)
> > that binds DNS names to corresponding credentials.
> >
> > http://datatracker.ietf.org/wg/dane/charter/
> >
> > - TLSA: one of the DNS record types developed by the DANE working group
> > that publishes TLS server keys in DNS. TLSA records are defined in
> > RFC 6698.
> >
> > http://tools.ietf.org/html/rfc6698
> > http://datatracker.ietf.org/doc/rfc6698/
> >
> > So, neither DANE nor TLSA encrypt your data, TLS does that. DANE
...
> Does this do anything to solve "Man in the middle" who presents an
> apparently valid cert (usually generated on the fly)? Because I thought
> the only way to detect this was to compare the finger print of the key
> presented with the know finger print.
With at least one mode of DANE operation, the SMTP server's TLS
public-(key or certificate) fingerprint is in the TLSA DNS record.
Will that be sufficient for your purposes?
> Just a thought, maybe there is a more appropriate forum/mail list to
> discuss this on, as this is not strictly Postfix related?
I suggest reading the IETF mailing list and documents first.
Hear it from the horse's mouth, as it were.
Wietse
