On Wed, Jul 30, 2014 at 03:38:41PM -0400, Jacob S Hoffman-Andrews wrote:
> >The EFF folks behind this effort have reached out to me and we've
> >discussed some of the issues. I am somewhat ambivalent about this,
> >as it introduces a non-scalable registry that does fully address
> >the problem, and perhaps reduces incentives to do it right and
> >deploy DANE. On the other hand, DNSSEC adoption by large providers
> >is a non-trivial effort, and they cannot yet deploy DANE as quickly
> >as they may be able to sign up for the EFF registry. So I am not
> >sure whether this is a step forward or sideways.
>
> I'm one of the implementers behind EFF's STARTTLS-Everywhere project. I see
> it as an intermediate way to decouple deployment of stronger SMTP from
> deployment of DNSSEC. This way, mail operators can start enforcing good TLS
> policies today, so that once their domains are signed, it will be easy and
> safe for them to start using DANE to distribute those policies. If mail
> operators have to wait until their entire domain is signed in order to begin
> trying strong TLS policies, that significantly delays broad deployment.
>
> I realize that DANE could be an incentive for operators to get their domains
> DNSSEC signed, but I think that at some of the largest mail providers, DNS
> is handled by an entirely different organization than email. The email team
> may not have the ability to directly implement DNSSEC themselves, but have
> to wait for another team to resolve the relevant operational issues and
> deploy it. We'd like to give them something positive to implement in the
> meantime that brings them a step closer to the right solution.
>
> Or, to look at it another way: Right now, email providers are bragging about
> implementing STARTTLS. We'd like to continue that virtuous cycle of seeing
> email security upgrades as important and valuable, which will make future
> improvements even easier.
Understood, that's why I said "ambivalent" and "not sure" whether
it is a step forward or not. I have sympathy for both views.
--
Viktor.
