[Top] [All Lists]

Re: [ietf-smtp] certificate pinning

2014-06-07 00:47:48
On 06/06/2014 11:12 PM, Brandon Long wrote:
Now that more servers are offering STARTTLS, it would seem beneficial to move forward towards certificate validation.

How do people feel about bringing the concept of certificate pinning from HTTP ( to SMTP?

I realize there's also DANE TLSA (RFC 6698), but that has a requirement on DNSSEC that may limit its deployment for some time to come.

DNSSEC would be great. Now there's either self-signed certificates (which would cause problems with certificate validation) or paid services that cannot always be trusted (in my country: Diginotar) or hinder deployment for administrative reasons (needs management approval in some organizations). For deploying new features, it would not hurt to use the currently best option. Maybe it would even accelerate DNSSEC with DANE, improving security for everyone. Just my 2c.


ietf-smtp mailing list