[Top] [All Lists]

Re: [ietf-smtp] certificate pinning

2014-06-13 18:18:49
One interesting question, is what is pinned?

Do you pin just the host?  Do you pin every host in the same MX preference?
Do you pin the MX domain?  Does the pin apply to all MX hosts?

My original thought was the pin would apply to all MX hosts, but I realize
that some folks use off-site and third party relays as fallbacks, so I'm
curious what people think about that.


On Fri, Jun 6, 2014 at 8:54 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:

In article <

Now that more servers are offering STARTTLS, it would seem beneficial to
move forward towards certificate validation.

How do people feel about bringing the concept of certificate pinning from
HTTP ( to

I realize there's also DANE TLSA (RFC 6698), but that has a requirement on
DNSSEC that may limit its deployment for some time to come.

translating the syntax in the http draft to smtp ehlo, I would imagine
something like (on a second EHLO after the TLS session is started):

Interesting idea.  I'd be willing to work up a draft with you.


ietf-smtp mailing list