Hi Viktor, On Wed, May 21, 2014 at 14:09:16 +0000, Viktor Dukhovni wrote: > The unstated context is "at Internet scale". I know about the > "secure" level, after all I developed that feature for Postfix, > while also serving as postmaster for a large company with many SMTP > secure TLS peering relationships.
I knew that you knew, sorry :-) I just wanted to point out that there are still use cases for CA certificates. > This non-scalable use-case is explained in section 1.3 of the DANE > draft. DANE certainly should help to improve things, but for this use case there is still going to be non-scalable issues (as already well put in section 6 of the DANE draft). People *will* break their setup and delivery issues to to failing tls_policy with "dane-only" in tls_policy will happen. > The problem with "secure" is that it requires bilateral coordination. > Thus O(n^2) effort for a network of size n. This cannot and will > not secure SMTP by default. I was wondering about the scalability of DANE, when deployed in a big scale: If you were still serving as postmaster for a large company, would you use "smtp_tls_security_level = dane"? What if most domains were in fact publishing TLSA records: wouldn't you need to monitor the queue and do something about the mails that are blocked? And wouldn't it be very often the case? And if you wouldn't use "smtp_tls_security_level = dane", what is the added security of DANE? I don't want to appear to be against DANE or anything. I just want to understand :-) And please excuse me if you answered these questions before already. > Indeed, but you still maintain a policy table with per-destination > policy, contact numbers when things go wrong, custom matching rules > when the MX host certificates contain something other than the > recipient domain or a sub-domain there-of, ... Yes, I know the pain... > I urge companies that implement "secure" or "encrypt" with business > partners to implement DNSSEC and publish TLSA RRs. Demand DANE > support from your MTA vendors and/or email service providers. Which isn't going to remove the need to have contact numbers, right? Cheers David
