From Security Considerations section of draft-ietf-uta-mta-sts-03:
"Similarly, we consider the possibilty of domains that deliberately
allow untrusted users to serve untrusted content on user-specified
subdomains. In some cases (e.g. the service Tumblr.com) this takes
the form of providing HTTPS hosting of user-registered subdomains
[...] In these cases, there is a risk that untrusted users would be
able to serve custom content at the "mta-sts" host, including
serving an illegitimate SMTP STS policy."
It's likely that such domains serve wildcard certificates for
user-specified subdomains. I think a further mitigation of this could
be to require the HTTPS connection's certificate to be valid precisely
for the mta-sts.example.com host, ignoring wildcard matches.
--
Federico
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
