> On Mar 13, 2019, at 5:13 PM, Eric Rescorla <[email protected]> wrote:
>
> Well, I think this field should only override the outgoing and not incoming
> policies (or be removed).
To be clear, let's imagine a company (say a bank) with the following TLS
policies (written roughly Postfix-style, but should be clear even to the
uninitiated):
# Mandatory PKIX authenticated TLS with back office settlement business
partner,
# And mutually agreed set of CAs.
#
partner.example secure tafile=partner-cas.pem
match=mx.partner.example
# Mandatory DANE-TLS with another business partner known to support DANE
#
partner2.example dane-only
# Opportunistic DANE TLS when available with general-purpose email
# (In real life the global default would be specified elsewhere)
* dane
I think you're saying that the company could allow its users to bypass
the locally-policy business partner domain rules, but must refuse to
allow users to exempt casual correspondence from DANE (or MTA-STS)
policy when published by the destination domain.
Is that right?
--
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
