On Thu, Oct 12, 2017 at 11:16:18AM +0100, Ivan Ristic wrote: > > Sorry, I should have made it more clear. I was using the conflict to give a > supporting example for the conversation in the other thread. > > The custom MX hostname validation in MTA-STS conflicts with DANE, not > because it's DANE, but because it does way differently from everything else > in TLS. In TLS, you decide which host you want to connect to, then you > validate the connection is valid for that hostname.
It does not just conflict with DANE, it also conflicts with some TLS client APIs. And I would imagine that authors of such APIs would _not_ be supportive of additions to support nonstandard name matching (I can certainly say I am not). Furthermore, it is not compatible with sending SNI either. There are servers out there that will outright abort on unknown SNI, and the SNI specification explcitly states this as one of recommended outcomes, with note that trying to continue probably won't work. -Ilari _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
