>> However this does bring up a good point - if I want to support STS *and*
>> DANE as a receiver, and have a homogeneous MX/MTA setup, i.e. not something
>> like the above, I would have to support the common subset of both
>> specifications, at least as far as MTA configuration is concerned, e.g.
>> no self-signed certs. That is a consequence we haven�t discussed before.
> STS is WebPKI. If you want STS, you need a certificate from one
> of the usual CAs. With a self-signed certificate (some day just
> a bare public key and no certificate at all) you can only use DANE.>--
Yes, the STS policy is served over WebPKI, but in the STS policy you may still
specify/pin public key or certificate for MX server. Pinning is proposed as a
future work for STS along with additional constraints like min TLS version, PFS
etc. STS use WebPKI/Root CA as trust anchor for policy distribution and in the
case of DANE, trust anchor is DNS root (through DNSSEC)
From: Viktor Dukhovni <ietf-d...@dukhovni.org>
To: uta@ietf.org
Sent: Wednesday, 13 April 2016 12:14 PM
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
On Wed, Apr 13, 2016 at 10:59:06AM +0100, Neil Cook wrote:
> However this does bring up a good point - if I want to support STS *and*
> DANE as a receiver, and have a homogeneous MX/MTA setup, i.e. not something
> like the above, I would have to support the common subset of both
> specifications, at least as far as MTA configuration is concerned, e.g.
> no self-signed certs. That is a consequence we haven�t discussed before.
STS is WebPKI. If you want STS, you need a certificate from one
of the usual CAs. With a self-signed certificate (some day just
a bare public key and no certificate at all) you can only use DANE.
Top 10 issuers of certs for DANE MX hosts:
172 ; Issuer = CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure
Digital Certificate Signing,O=StartCom Ltd.,C=IL
166 ; Issuer = CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
165 ; Issuer = CN=Let's Encrypt Authority X1,O=Let's Encrypt,C=US
91 ; Issuer = CN=StartCom Class 2 Primary Intermediate Server
CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
90 ; Issuer = CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR
81 ; Issuer = CN=StartCom Class 1 DV Server CA,OU=StartCom Certification
Authority,O=StartCom Ltd.,C=IL
63 ; Issuer = CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
62 ; Issuer = CN=RapidSSL SHA256 CA - G3,O=GeoTrust Inc.,C=US
38 ; Issuer = CN=WoSign CA Free SSL Certificate G2,O=WoSign CA
Limited,C=CN
33 ; Issuer = CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert
Inc.
( Note some of the MX hosts support many hundreds of domains, the above counts
the issuer just once for each issued certificate, not once per domain served.
)
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
