On Tue, Jul 29, 2014 at 05:10:25PM +0200, Robert Schetterer wrote:
> Hi Viktor, perhaps silly question, I sometimes asked myself why not use
> something like advanced SPF with i.e
>
> IN SPF "v=spf1 mx ip4:1.2.3.4/24
> TLSPOLICY:require-valid-certificate -all"
Well SPF records are for policy applied by receiving systems to
sending systems, while the problem at hand is TLS policy that
sending systems should apply to receiving systems. So SPF is
the wrong place to publish the information.
Generalizing your suggestion to some other DNS record, if it is
not DNSSEC protected (including verified non-existence), then
it serves no purpose since an active attacker can suppress such
a record. To thwart passive attacks, just STARTTLS is enough.
Thus DANE, which provides a downgrade-resistant signal of TLS
support, and also publishes the requisite certificate or public
key fingerprints to resist TLS MiTM attacks.
You're re-inventing DANE... The key observation is that DNS
policy records that are not DNSSEC validated don't add any
value in terms of MiTM resistance.
The EFF registry presumably publishes the data over a "secure
channel" (https, presumably via a sensibly chosen CA), and once
Postfix policy tables are generated from this data, active attacks
are difficult.
--
Viktor.
