> On May 16, 2016, at 5:04 AM, Vladimir Dubrovin <[email protected]> wrote:
>
> You can not rely on CA for SMTP security and deny the problem of insecure
> validation due to inability to provide secure domain verification via SMTP by
> CA in the same time.
Sure we can. The emperor's clothes are spectacular! The WebPKI
manufactures DV trust ex nihilo and the subject pays accordingly.
And the ACME tailoring company's machinery makes the finest cloth.
This spectacle is not restricted to STS. HTTPS, except for a few
large sites with EV certs, has exactly the same security model.
The MiTM needs to be on path between the CA and the remote server
at the time the DV leap of faith is performed and notarized by the
CA.
> The problem of domain verification can (and is intended to) be
> mitigated with STS for http/smtp validation, but it means CA
> must be capable to use STS with STS preloading or STS precaching.
> You can require CAs to e.g. use Mozilla STS preloaded list to be
> included into Mozilla root CAs in future, but STS policy preloading
> is only useful if you can specify policy for subdomains.
Now you're saying the emperor has no clothes, you must not be looking
hard enough!
--
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
