Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni: > On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote: > >> First we should extend DNS using another MX-like entry, to be able to >> define authoritative MTA client nodes for a specific domain, so we have >> something to stick on. > This was abandoned in favour of SPF, DKIM and DMARC. > > http://tools.ietf.org/html/draft-crocker-csv-csa-00 > It was an anti-spam measure, and has no direct bearing on TLS client > authentication.
That RFC is from 2005 and was considered for anti-spam, as you've said. But does that mean, it is buried forever? If we have a new - and quite serious - purpose here (having mutual TLS security in mind), it should be revived to support that. If there's another way, I'm fine with that. But we have to improve here by any means, to keep up with the ongoing arms race. Having neat things like DNSSEC and DANE to backup up TLS security doesn't make much sense, if only one party/peer of each connection can uphold a certain security level. -- BlueStar88 (bluesta...@xenobite.eu)
signature.asc
Description: OpenPGP digital signature
