On Wed, May 21, 2014 at 08:51:48AM +0200, David Schweikert wrote:
> Hi Viktor,
>
> On Tue, May 20, 2014 at 14:21:22 +0000, Viktor Dukhovni wrote:
> > Facebook made the same mistakes you did:
> >
> > http://www.metzdowd.com/pipermail/cryptography/2014-May/021344.html
>
> In that thread you say that CA certs are futile for SMTP servers.
That's the one sentence version, in response to Facebook's implied
assertion that SMTP STARTTLS at sites with CA-issued certs is
somehow further along the evolutionary path towards a secure SMTP
backbone than at sites without.
The unstated context is "at Internet scale". I know about the
"secure" level, after all I developed that feature for Postfix,
while also serving as postmaster for a large company with many SMTP
secure TLS peering relationships. This non-scalable use-case is
explained in section 1.3 of the DANE draft.
> You might say that DANE is better, and I agree, but CA certificates are
> the current solution to this problem, and certainly will remain
> important until DANE becomes more widespread.
The problem with "secure" is that it requires bilateral coordination.
Thus O(n^2) effort for a network of size n. This cannot and will
not secure SMTP by default.
> Also, we don't do "fingerprint" because we don't want to maintain the
> fingerprint database (and deal with sudden changes, etc.).
Indeed, but you still maintain a policy table with per-destination
policy, contact numbers when things go wrong, custom matching rules
when the MX host certificates contain something other than the
recipient domain or a sub-domain there-of, ...
I urge companies that implement "secure" or "encrypt" with business
partners to implement DNSSEC and publish TLSA RRs. Demand DANE
support from your MTA vendors and/or email service providers.
--
Viktor.
