ietf
[Top] [All Lists]

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

2008-11-13 17:09:57

In message 
<alpine(_dot_)LSU(_dot_)2(_dot_)00(_dot_)0811131135530(_dot_)14367(_at_)hermes-1(_dot_)csi(_dot_)cam(_dot_)ac(_dot_)uk>,
 Tony F
inch writes:
You also need the server to provide a verifiable TLS certificate. The vast
majority of them are not. This problem is perhaps even harder to fix than
the lack of DNSSEC.

        Just use DNSSEC and CERT records to do that.

        If self signed, look in the DNS for the CERT.  Accept if
        signed and validated by DNSSEC.  Have a low TTL on the CERT
        so as to not blow the DNS cache (caches can enforce this
        if needed) and maintain a on disk cache of the certs retrieved
        via the DNS as they have their own validitiy period.  Attempt
        to retieve a new one via DNS of the on disk one doesn't
        match.

        Certs that are signed by private CAs are harder to deal
        with as you don't have the linkage from the name to the
        CA.

        Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf