On 14/11/2011 22:40, Carl S. Gutekunst wrote:
Dave CROCKER wrote:
On 11/15/2011 4:10 AM, Carl S. Gutekunst wrote:
The purpose is to define a standard way for an SMTP sender (client)
to determine
that the SMTP receiver that it's talking to is the one it thinks
it's talking
to. The mechanism would detect man-in-the-middle attacks and connection
hijacking at either the routing or DNS level.
Isn't that exactly the problem that the DANE working group attacking.
DANE is looking at DNSSEC extensions, which may well be what Tony was
looking for.
However, one of the references for DANE -- RFC 6125 -- seems to be
exactly what I was looking for. Unfortunately, it very deliberately
codifies the language from RFC 2818 for wildcards, with the
established practice for SMTP being a SHOULD NOT.
Backward compatibility might be a sufficient reason to violate the
SHOULD NOT.
I'll have to figure out what to do about that. (That said, I can count
the number of MTA implementations that support wildcard domains in
certificates without taking off my shoes.)
Thanks!
<csg>