On Wed, Apr 13, 2016 at 10:59:06AM +0100, Neil Cook wrote:
> However this does bring up a good point - if I want to support STS *and*
> DANE as a receiver, and have a homogeneous MX/MTA setup, i.e. not something
> like the above, I would have to support the common subset of both
> specifications, at least as far as MTA configuration is concerned, e.g.
> no self-signed certs. That is a consequence we haven�t discussed before.
STS is WebPKI. If you want STS, you need a certificate from one
of the usual CAs. With a self-signed certificate (some day just
a bare public key and no certificate at all) you can only use DANE.
Top 10 issuers of certs for DANE MX hosts:
172 ; Issuer = CN=StartCom Class 1 Primary Intermediate Server
CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
166 ; Issuer = CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO
CA Limited,L=Salford,ST=Greater Manchester,C=GB
165 ; Issuer = CN=Let's Encrypt Authority X1,O=Let's Encrypt,C=US
91 ; Issuer = CN=StartCom Class 2 Primary Intermediate Server
CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
90 ; Issuer = CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR
81 ; Issuer = CN=StartCom Class 1 DV Server CA,OU=StartCom Certification
Authority,O=StartCom Ltd.,C=IL
63 ; Issuer = CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
62 ; Issuer = CN=RapidSSL SHA256 CA - G3,O=GeoTrust Inc.,C=US
38 ; Issuer = CN=WoSign CA Free SSL Certificate G2,O=WoSign CA
Limited,C=CN
33 ; Issuer = CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert
Inc.
( Note some of the MX hosts support many hundreds of domains, the above counts
the issuer just once for each issued certificate, not once per domain served.
)
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
