I'm not sure if I'm being stupid here, but what does it mean for STS to be "trumped" by DANE (or the reverse)? Do you mean that if the recipient domain/MX has both STS and DANE you will *only* validate the DANE policy?
If we instead said that senders who validate STS must honor STS and senders who validate DANE must honor DANE, is there a conflict? I would presume that if there is either a DANE failure or an STS failure senders who validate both will treat it as a failure. Introducing a concept of priority strikes me as unnecessary. What am I missing? On Mon, Apr 11, 2016 at 11:21 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > On Mon, Apr 11, 2016 at 09:45:06PM +0100, Stephen Farrell wrote: > > > With no hats, I'd like to argue that the WG should pursue > > the "webby" STS proposal, but should also ensure that we > > do not damage progress made by those who are deploying the > > DANE/DNSSEC approach to securing MTA-MTA connections. > > > > I think we can do that by requiring that outbound MTAs > > that implement the "webby" approach MUST/SHOULD first test > > for, and process, TLSA records for the next MX in the path. > > In other words the "webby" approach is tried 2nd. > > [ By the way both DANE and STS are still opportunistic security as > defined in RFC 7435, the difference is that these are not just > unauthenticated encryption. DANE and STS are used on the fly > with peers that publish the relevant policy via some downgrade- > resistant mechanism. ] > > In Postfix, if and when we do implement client-side "webby" STS, > I expect that STS wil be trumped by any DANE policy on MTAs that > support both (when sending email to destinations that support both). > One key reason is that DANE downgrade-resistance is stronger (works > on first contact) and DANE is exposed to fewer trusted CAs. > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
