Matt McCutchen <matt(_at_)mattmccutchen(_dot_)net> wrote:
As well as its normal function of providing an association
between a domain name and a certificate, we are also using the
existance of a TLSA record to signal to the client that it can
expect a valid server certificate.
TLSA always signals to the client that *if* it does TLS, it can expect a
valid server certificate. The issue is whether to do TLS. I think you
mean this:
As well as its normal function of providing an association
between a domain name and a certificate, we are also using the
existance of a TLSA record to signal to the client that the SMTP
server supports TLS.
There is a load of other text in the intro explaining that in the current
internet a lot of MXs support TLS but don't have valid certificates, and
even if they did the existing specs don't explain how to validate them. So
the point of that text is to explain that we are using TLSA to fix this.
You are right to point out that I had left server support for TLS
implicit; I already improved that between -01 and -02 so the paragraph now
reads:
As well as its normal function of providing an association between a
domain name and a certificate, we are also using the existance of a
TLSA record to signal to the client that it can expect the server to
offer TLS with a valid certificate.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
Shannon: North 4 or 5, veering southeast 5 or 6. Moderate, occasionally rough
at first. Occasional rain. Good, occasionally poor.