> On 14 Apr 2016, at 15:58, Daniel Margolis <dmargo...@google.com> wrote: > > > On Thu, Apr 14, 2016 at 8:38 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> > wrote: > > If the STS spec is just for email between Yahoo and Gmail, sure, > go for it. Less work for me, I won't need to implement yet another > transport security mechanism. > > A more reasonably modest STS would stay well clear of prescribing > such fine details. Once the policy lookup requires WebPKI support, > pinning MX host certs is fragile over-engineering. > > To be clear, HPKP allows pinning a root or intermediate cert, not just the > host cert. I think pinning someone in the cert chain and not the host cert is > generally preferable (in terms of safety and ease of certificate rollover).
The SMTP-STS draft mentions 'certificate pinning' as future work. Would you really want to go the way of HPKP? It's been an utter deployment and management disaster [0] [1]. While I agree that pinning to host-keys will mean more trouble for admins, I do feel that HPKP in general is a completely wrong approach. Adding this on top of STS will most surely make mails bounce at massive scale, at least in small deployments. Companies like the ones authoring the STS draft will have proper engineering teams and man-power available. Not every MX on the internet is Gmail or Yahoo, just to reiterate my concern about STS's complexity and out-of-band behaviour. I've repeatedly suggested a better solution for pinning that works with WebPKI based trust anchors and would not need a webserver along with an MTA. To be honest: this is getting a bit frustrating. I feel the STS authors look for a solution that works well within their domains and management cycles, but that's far from the rest of the internet community - they do not have the same man-power as said companies have. And even automating HPKP is doomed to fail, some tried, I haven't seen a good working solution. Aaron [0] http://news.netcraft.com/archives/2016/03/30/http-public-key-pinning-youre-doing-it-wrong.html (current) [1] https://www.internetsociety.org/sites/default/files/01_4_0.pdf (about a year old)
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
