[Top] [All Lists]

Re: [ietf-smtp] New Version Notification for draft-fenton-smtp-require-tls-00.txt

2016-01-11 18:53:50
Jim Fenton writes:

On 1/11/16 2:38 AM, Alessandro Vesely wrote:
> Hi Jim,
> On Sun 10/Jan/2016 23:27:46 +0100 Jim Fenton wrote:
>> Below is the announcement of a draft I just submitted that may be of interest >> to this list. The approach here is complementary to the other proposals I have
>> seen along these lines (e.g., smtp-sts).
> Your approach looks rather similar to Courier's "SECURITY" extension than
> Strict Transport Security. I think you'd be interested in having a look to the > former. For example, its provision to increase the requirement level allows
> practical use of the extension even in the absence of supporting MUAs.
> (That was implemented in 2001, before DANE, and even before SNI.)

Hadn't heard of this; I'll have a look.

>> Thoughts, reviews, etc. welcomed.
> Neither proposal seems to allow clients to specify a set of root CAs (to be
> transmitted along with the envelope). That lack is tantamount to assuming that
> the trust relationship is transitive.  Is it, or is it me?

Rather than specify root CAs, REQUIRETLS has an option to require that
certificates be verified via DANE (TLSA). My thought is that a sender
that is concerned about PKI-related attacks probably wants to avoid the
CAs entirely.

Originally, back in 2001, before DANE existed, I took a different tack on addressing the PKI issues, which is also described, less formally, here:

Last time I checked, setting up DNSSEC is still a bit painful. Few registrars, TMK, support DNSSEC directly. Maybe this has changed.

Attachment: pgpnDiVNn4Whr.pgp
Description: PGP signature

ietf-smtp mailing list
<Prev in Thread] Current Thread [Next in Thread>