On Wed, Apr 13, 2016 at 08:58:58PM +0000, Binu Ramakrishnan wrote:
> > STS is WebPKI. If you want STS, you need a certificate from one
> > of the usual CAs. With a self-signed certificate (some day just
> > a bare public key and no certificate at all) you can only use DANE.>--
>
> Yes, the STS policy is served over WebPKI, but in the STS policy you may
> still specify/pin public key or certificate for MX server. Pinning is
> proposed as a future work for STS along with additional constraints like
> min TLS version, PFS etc. STS use WebPKI/Root CA as trust anchor for policy
> distribution and in the case of DANE, trust anchor is DNS root (through
> DNSSEC)
See my response to Chris Newman. The more prescriptive/ambitious
the STS design the less likely it is too see workable broad adoption.
If the STS spec is just for email between Yahoo and Gmail, sure,
go for it. Less work for me, I won't need to implement yet another
transport security mechanism.
A more reasonably modest STS would stay well clear of prescribing
such fine details. Once the policy lookup requires WebPKI support,
pinning MX host certs is fragile over-engineering.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
