Dave CROCKER wrote:
On 11/15/2011 4:10 AM, Carl S. Gutekunst wrote:
The purpose is to define a standard way for an SMTP sender (client)
that the SMTP receiver that it's talking to is the one it thinks it's
to. The mechanism would detect man-in-the-middle attacks and connection
hijacking at either the routing or DNS level.
Isn't that exactly the problem that the DANE working group attacking.
DANE is looking at DNSSEC extensions, which may well be what Tony was
However, one of the references for DANE -- RFC 6125 -- seems to be
exactly what I was looking for. Unfortunately, it very deliberately
codifies the language from RFC 2818 for wildcards, with the established
practice for SMTP being a SHOULD NOT. I'll have to figure out what to do
about that. (That said, I can count the number of MTA implementations
that support wildcard domains in certificates without taking off my shoes.)