[Top] [All Lists]

Re: draft-fanf-dane-smtp

2012-05-29 22:31:38

In message <4FC58201(_dot_)7010701(_at_)isdg(_dot_)net>, Hector Santos writes:

Tony Finch wrote:
Hector Santos <hsantos(_at_)isdg(_dot_)net> wrote:
I guess, if anything else, there are two client suggestions to highlight:

  - Automated MTA (router)
  - Interactive MUA smtp client

The draft is for inter-domain SMTP so message submission is out of scope.
I don't think I can make this clearer.


Oh, so that is what you meant by "inter-domain."   I am not use to 
using that term within the confines of mail systems but it fits. 
Other terms are "routers," "relays," etc or just MTA.  I prefer router.

   Inter-domain SMTP:  SMTP between different ADMDs across the public
       Internet, where a client sends mail to a publicly-referenced SMTP

I suggest to add an i.e.

    i.e. a router, relaying MTA, not an MUA with a possible interactive
         CN vs Host domain checking method where the HUMAN is involved.

Anyway, ironically, we are having a related thread now in our support 
forum regarding a sysop asking about self-signed vs CA signed certs.

My question is:

If the client has to be modified to do this extra TLSA check, then why 
not just add login to do a CA 3rd party repository?   Or support OCSP 
(Online Certificate Status Protocol) RFC2560?

OCSP is for when the CA knows the CERT is compromised.
TLSA, mode X, is to detect mis-issued CERT by some CA.

Different threat models.

OCSP are sometimes unreachable even when you have the address and CERT.
TLSA records will almost always be available if you can retrieve the address
as they live below the address in the DNS and are usually in the same zone.

Different failure models.

When change is proposed, then it has to have a payoff.  A client 
trusting a self-signed signature is going to be pre-defined or 
pre-arranged or known upfront.

TLSA, mode Y, allows you to trust the self signed CERT by providing
a verifiable secure chain of trust back to a DNS trust anchor rather
than a CA trust anchor.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org

<Prev in Thread] Current Thread [Next in Thread>