On July 29, 2014 7:15:04 PM EDT, BlueStar88 <bluesta...@xenobite.eu> wrote: > >Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni: >> On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote: >> >>> First we should extend DNS using another MX-like entry, to be able >to >>> define authoritative MTA client nodes for a specific domain, so we >have >>> something to stick on. >> This was abandoned in favour of SPF, DKIM and DMARC. >> >> http://tools.ietf.org/html/draft-crocker-csv-csa-00 >> It was an anti-spam measure, and has no direct bearing on TLS client >> authentication. > >That RFC is from 2005 and was considered for anti-spam, as you've said. >But does that mean, it is buried forever? >If we have a new - and quite serious - purpose here (having mutual TLS >security in mind), it should be revived to support that. > >If there's another way, I'm fine with that. But we have to improve here >by any means, to keep up with the ongoing arms race. >Having neat things like DNSSEC and DANE to backup up TLS security >doesn't make much sense, if only one party/peer of each connection can >uphold a certain security level.
CSV doesn't really offer more than an SPF check on the HELO identity. It's dead. Scott K
