On Tue, Jun 17, 2014 at 08:39:38PM +0200, Per Thorsheim wrote:
> Sounds good, look forward to see it finalised. Blogged this today:
> https://starttls.info/blog/from-zero-to-hero-in-no-time/
>
> ACLU, EFF and many others are now actively promoting starttls
> deployment, as you may have seen from the past few weeks with lots of
> services announcing support and implementing it quickly. Next step, if
> I'm not completly wrong, is to get TLDs to use DNSSEC if they haven't
> got it already, then deploy it for your own domains, and then hopefully
> your DANE TLS proposal.
>
> I really hope that will catch on and be deployed faster than we've
> waited for RFC3207.
Thanks for fighting the good fight. In the mean-time, any chance
you could stop fix the misleading TLS support scores starttls.info
issues to soundly configured MTAs?
* For SMTP, self-signed certificates are as good as CA issued
certificates. The hostname in the certificate is irrelevant.
* For SMTP servers support for anon-DH cipher-suites is a feature,
not a bug.
* For opportunistic TLS, even the weakest ciphers are fine,
provided strong ones are preferred when offered.
Almost every score-lowering observation leading to 43.5% D for
dukhovni.org is wrong.
--
Viktor.
