Am 2016-03-21 20:09, schrieb Per Thorsheim:
Den 21.03.2016 18.47, skrev Viktor Dukhovni:
On Mar 21, 2016, at 12:18 PM, David Schweikert <da...@schweikert.ch>
wrote:
I wonder what the Postfix community thinks or plans to do according
to
this standard that is being written:
https://datatracker.ietf.org/doc/draft-margolis-smtp-sts/?include_text=1
My take on the draft is that it is a hack to get the large email
providers
doing SMTP TLS with authentication amongst themselves while they take
multiple
years to ponder DNSSEC, which can be tricky to retrofit onto their
complex
deployments. The draft still has warts to iron out, I'll help them
with those.
I am not convinced this scales down at all well, but there will likely
be demand
for securing outbound email traffic sent to the large providers. I am
not a big
fan of code to support the centralized email storage model of the
large providers,
but that battle is lost for now.
Alex Stamos at Facebook has publicly & repeatedly stated that DNSSEC is
"dead". I guess that means no RFC 7672 at Facebook. With him making
that
statement I already know others taking the same position. There seems
to
be a strong anti-dnssec crowd, complaining primarily on these issues:
1) Government access / possible interference with dnssec
2) Weak encryption (1024 bit keys)
3) Complexity of configuration & maintenance
4) "only 1 bit to tell you if things are ok or not"
5) DoS capabilities (ppl forget there are other & easier ways)
Google public DNS supports DNSSEC, but afaik no other part of Google
uses it. Although this proposal can live with or without DNSSEC, I am
wondering if Google, Microsoft, Linkedin & other major companies has
any
plans to deploy DNSSEC and RFC7672. Or will this proposal be a shorter
&
easier step forward, eventually delaying or simply ignoring RFC7672 for
the foreseeable future?
Regards,
Per
I do not think the big ISPs will implement DANE in the foreseeable
future as you can see from the authors of this draft. They will
implement STS, a SMTP variant of HSTS with a flavor of DMARC. And a
variant of HPKP (certificate pinning) will follow very fast. And the big
providers will use a STS preload list to circumvene TOFU for their mail
servers. I do not hope they will use a variant of IMPT
(https://tools.ietf.org/html/draft-laber-smtp-impt-00) which is now used
by the big German ISPs with their "E-Mail made in Germany (EmiG)".
Therefore the only thing we can do is to see that STS will smoothly work
with installations of DANE.
Regards,
Michael
