>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> On Fri, Sep 06, 2013 at 09:17:20AM -0400, James Cloos wrote: >> The idea of using the existence of an unsecured tlsa rr as a hint that >> tls must be used was, IIRC, discussed in the early days of this wg. VD> This is largely impractical for SMTP. SMTP TLSA RRs are of course VD> tied to MX hosts (transport destinations), not email domains. An VD> MITM can bypass any such cached RRs by sending malicious MX replies. I was noting history above, not advocating. I also wrote the the wg consensus was against using unsecured TLSA (or other new RRs) for anything. I always preferred dnssec-for-everything-dane. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
