On 06/06/2014 11:12 PM, Brandon Long wrote:
Now that more servers are offering STARTTLS, it would seem beneficial
to move forward towards certificate validation.
How do people feel about bringing the concept of certificate pinning
from HTTP
(http://tools.ietf.org/html/draft-ietf-websec-key-pinning-13) to SMTP?
I realize there's also DANE TLSA (RFC 6698), but that has a
requirement on DNSSEC that may limit its deployment for some time to come.
DNSSEC would be great. Now there's either self-signed certificates
(which would cause problems with certificate validation) or paid
services that cannot always be trusted (in my country: Diginotar) or
hinder deployment for administrative reasons (needs management approval
in some organizations). For deploying new features, it would not hurt to
use the currently best option. Maybe it would even accelerate DNSSEC
with DANE, improving security for everyone. Just my 2c.
Evert
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp