On 1/7/19 4:22 AM, Vittorio Bertola wrote:
Il 7 gennaio 2019 alle 12.36 Alice Wonder < [email protected] <mailto:[email protected]>> ha scritto:You should also accept the other flavour of "secure" (starttls + DANE + any certificate matching the DANE records, even a self-signed one), though major providers will use PKI-validating certificates anyway, even with DANE. Also, without DANE, a PKI-validating certificate is not enough if you don't check that the hostname in the certificate matches the intended destination. I'm sure you know, but just for the sake of completeness, if anyone actually wanted to write a best practice document...On 1/7/19 2:46 AM, Vittorio Bertola wrote:On that point, you are right when you say that big systems that host mail for thousands or millions of domains are unlikely to ever implement MTA-STS, as that requires to activate one HTTP service per each domain - but we already have DANE for that case.Additional note on this. I and many others already have policy maps requiring "secure" (starttls + PKI validating certificate) connection to the "major" providers of third-party mail services.Regards,
I most certainly do. I prefer DANE. PKI is high maintenance, you have to frequently update your trusted root anchors.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
