[Top] [All Lists]

Re: [ietf-smtp] certificate pinning

2014-06-16 12:03:07
Brandon Long <blong(_at_)google(_dot_)com> wrote:

One interesting question, is what is pinned?

Do you pin just the host?  Do you pin every host in the same MX preference?
Do you pin the MX domain?  Does the pin apply to all MX hosts?

My original thought was the pin would apply to all MX hosts, but I realize
that some folks use off-site and third party relays as fallbacks, so I'm
curious what people think about that.

The DANE SMTP logic is that you are only secure with DNSSEC everywhere and
if all your MX targets have the necessary TLSA records. Anything less than
that gives you less security but it still works, so you can do a partial
or incremental deployment without breaking anything.

For pinning I think you need two levels: a per-mx-target pin, and a
per-mail-domain pin. The latter is triggered when all of a domain's MX
targets are pinned.

f.anthony.n.finch  <dot(_at_)dotat(_dot_)at>
West Forties, Cromarty: Northerly backing northwesterly, 4 or 5, occasionally
6 later. Slight or moderate. Occasional rain. Good, occasionally poor.

ietf-smtp mailing list