Hi Viktor,
On Sun, Apr 10, 2016 at 20:36:42 +, Viktor Dukhovni wrote:
> > OK, got it. But this is going to work only for nexthops / relays
> > specified as a mail domain (and not as hosts), right?
>
> Either. For example, DANE works regardless of whether routing is
> via MX records or direct
On Mon, Apr 11, 2016 at 10:07:14AM +0200, Daniel Margolis wrote:
> I see your point. But I think one thing still needs to be specified. In the
> smarthost case, what domain is used to validate the server certificate
> during the HTTPS policy fetch?
The nexthop domain. It may, or may not, be subj
Hiya,
With no hats, I'd like to argue that the WG should pursue
the "webby" STS proposal, but should also ensure that we
do not damage progress made by those who are deploying the
DANE/DNSSEC approach to securing MTA-MTA connections.
I think we can do that by requiring that outbound MTAs
that im
On 4/11/16 1:45 PM, Stephen Farrell wrote:
> - We can, and probably will, define a "webby" to achieve
> the same desired effect of getting beyond opportunistic
> security. Daniel and co's STS aprooach (as outlined for
> the next revision in B-A) is one such, and seems like
> it's one that c
On Mon, Apr 11, 2016 at 09:45:06PM +0100, Stephen Farrell wrote:
> With no hats, I'd like to argue that the WG should pursue
> the "webby" STS proposal, but should also ensure that we
> do not damage progress made by those who are deploying the
> DANE/DNSSEC approach to securing MTA-MTA connection
