You make the strong assumption that DNSSEC is a better PKI than WebPKI.
It is not, it's significantly worse. MTA-STS *would* be inferior if DNSSEC was good, it is not good.
On 02/03/2023 22:23, Tom Ivar Helbekkmo via mailop wrote:
Tobias Fiebig<tob...@fiebig.nl> writes:I share your sentiment. I am not a fan of MTA-STS, and honestly not really sure which problem it solves.I'm reasonably sure. The problem is: "people are starting to want DANE, which means we need to implement DNSSEC, which will cost us money, so we need to design an inferior mechanism that won't cost us anything, but will fool people into thinking it's close enough to the real thing". Heck, it evens says so in the RFC itself, if you read it carefully. -tih
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
