> On 06 May 2016, at 10:49, Aaron Zauner <[email protected]> wrote: > > >> On 06 May 2016, at 02:40, Viktor Dukhovni <[email protected]> wrote: >> >> The most timely reporting mechanism may be neither HTTPS nor a >> separate email report, but an ESMTP extension that can signal >> authentication errors as they occur. (Since STS supports a >> non-enforcement 'trial' mode, and reporting was in large measure >> intended to support that, the client would be continuing to use >> the server in any case). > > I like this idea. But again; I think the extension shouldn't send feedback if > there isn't already a secure channel in place (e.g. MITM already occurring).
..so in that case for an attacker that's trivially DoS'able as well. Which would require a fallback mechanism like HTTPS + WebPKI again, I suppose (unless you go opportunistic all the way of course, which is, what I assume you propose). Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
