On Mon, Apr 11, 2016 at 09:45:06PM +0100, Stephen Farrell wrote:
> With no hats, I'd like to argue that the WG should pursue
> the "webby" STS proposal, but should also ensure that we
> do not damage progress made by those who are deploying the
> DANE/DNSSEC approach to securing MTA-MTA connections.
>
> I think we can do that by requiring that outbound MTAs
> that implement the "webby" approach MUST/SHOULD first test
> for, and process, TLSA records for the next MX in the path.
> In other words the "webby" approach is tried 2nd.
[ By the way both DANE and STS are still opportunistic security as
defined in RFC 7435, the difference is that these are not just
unauthenticated encryption. DANE and STS are used on the fly
with peers that publish the relevant policy via some downgrade-
resistant mechanism. ]
In Postfix, if and when we do implement client-side "webby" STS,
I expect that STS wil be trumped by any DANE policy on MTAs that
support both (when sending email to destinations that support both).
One key reason is that DANE downgrade-resistance is stronger (works
on first contact) and DANE is exposed to fewer trusted CAs.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
