Matt McCutchen <matt(_at_)mattmccutchen(_dot_)net> wrote:
This approach is not going to work.
I think you mean that you want weaker semantics for SMTP+TLSA than I have
specified. I have deliberately stated that extra semantics apply - in the
intro I wrote:
As well as its normal function of providing an association
between a domain name and a certificate, we are also using the
existance of a TLSA record to signal to the client that it can
expect a valid server certificate.
I agree that this might be a job for the HASTLS record - I wan't aware of
it. I can change the spec to require another DNS lookup for HASTLS if
others think this is worth doing.
The historical baggage for SMTP and HTTP are rather different so I am not
sure it makes sense to apply an HTTP fix to SMTP. It would add significant
programming and provisioning complexity, and I don't think your use cases
justify it. (For instance, your wildcard TLSA records are useless without
accompanying address or SRV records.) On the other hand perhaps it would
be nice to have better consistency across protocols.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
Trafalgar: Easterly or northeasterly 5 to 7, increasing gale 8, occasionally
severe gale 9 later in southeast, otherwise mainly northerly 4 or 5,
occasionally 6. Slight or moderate, occasionally rough in southeast. Thundery
showers later in east. Good, occasionally poor in east.