> On Mar 14, 2019, at 1:31 PM, Eric Rescorla <[email protected]> wrote:
>
> It's allowed to not *generally* honor STS, but this text does not
> have any provision for just ignoring it for some messages.
In MTAs (e.g. Postfix), the delivery policy is *always* per message,
or more precisely per message recipient. Either the message sender
or message content (filter) can map to a default transport with an
associated set security mechanisms/policies, and then a specific
recipient may map to a suitable recipient-specific transport.
When a particular envelope is mapped to a non-DANE policy, the DANE
specification does not apply. Ditto for MTA-STS, and this is the
only plausible reading of either specification. When in Rome do
as the Roman's do, but elsewhere togas are not standard attire.
Just because Postfix *implements* DANE, does not make it *generally*
honoured. DANE, if enabled at all, is either used or not used for
a particular envelope, with multiple factors taken into account.
Thus the same destination domain's published TLSA records, may or
may not get used, depending on the sender, the message content or
the recipient.
This draft merely formalizes a standard signal that an MUA can use
to feed into the transport policy selection.
Other MTAs similarly have lots of per-message-envelope knobs. So
"honor" always only applies one message at a time. Just because
some envelopes adhere to a policy does not make that policy more
equal than others.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
