John C Klensin wrote:
--On Friday, 24 October, 2008 17:22 +0100 Tony Finch wrote:
However I don't know how to address its weaknesses for
inter-domain relaying via MX records.
Of course, this is another area in which a functional DNSSEC,
with signature verification by the SMTP clients, would make some
of us sleep a lot more soundly. But that is not specifically a
TLS problem.
Perhaps some black magic stems from associating certificate validation
with authority acceptance. It is also a non-TLS specific problem, but
it may be helpful to clarify the relationship between DNS hierarchical
delegations and CA chains. To wit, if a CA certificate were assigned
along with each domain delegation then we would need no black magic.
BTW, why don't we write the IP number on our server certificates?