[Top] [All Lists]

Re: [ietf-smtp] certificate pinning

2014-06-13 19:06:02
One interesting question, is what is pinned?

Do you pin just the host?  Do you pin every host in the same MX preference?
Do you pin the MX domain?  Does the pin apply to all MX hosts?

My original thought was the pin would apply to all MX hosts, but I realize
that some folks use off-site and third party relays as fallbacks, so I'm
curious what people think about that.

Interesting question. My not particularly well informed opinion is that you pin the host, i.e., every host with the same host name. I don't think you can assume that different hosts are under the same management, even if they are someone's MX at the same preference.

There's a fair amount of wiggle room in 5321 about how a sender chooses the recipient hosts to use, so I think it's entirely legitimate to ignore unpinned hosts if you have pinned ones.

John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

ietf-smtp mailing list