On Wed, Mar 13, 2019 at 2:49 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > On Mar 13, 2019, at 5:13 PM, Eric Rescorla <e...@rtfm.com> wrote: > > > > Well, I think this field should only override the outgoing and not > incoming policies (or be removed). > > To be clear, let's imagine a company (say a bank) with the following TLS > policies (written roughly Postfix-style, but should be clear even to the > uninitiated): > > # Mandatory PKIX authenticated TLS with back office settlement > business partner, > # And mutually agreed set of CAs. > # > partner.example secure tafile=partner-cas.pem > match=mx.partner.example > > # Mandatory DANE-TLS with another business partner known to > support DANE > # > partner2.example dane-only > > # Opportunistic DANE TLS when available with general-purpose email > # (In real life the global default would be specified elsewhere) > * dane > > I think you're saying that the company could allow its users to bypass > the locally-policy business partner domain rules, but must refuse to > allow users to exempt casual correspondence from DANE (or MTA-STS) > policy when published by the destination domain. > > Is that right? > Yes. -Ekr > -- > -- > Viktor. > >
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
