Re: [ietf-smtp] New Version Notification for draft-fenton-smtp-require-t

Jim Fenton writes:

> On 1/11/16 2:38 AM, Alessandro Vesely wrote:
> > Hi Jim,
> >
> > On Sun 10/Jan/2016 23:27:46 +0100 Jim Fenton wrote:
> >
> >> Below is the announcement of a draft I just submitted that may be of  
> interest
> >> to this list. The approach here is complementary to the other proposals I  
> have
> >> seen along these lines (e.g., smtp-sts).
> > Your approach looks rather similar to Courier's "SECURITY" extension than
> > Strict Transport Security.  I think you'd be interested in having a look  
> to the
> > former.  For example, its provision to increase the requirement level  
> allows
> > practical use of the extension even in the absence of supporting MUAs.
> >
> > http://www.courier-mta.org/draft-varshavchik-security-smtpext.txt
> > (That was implemented in 2001, before DANE, and even before SNI.)
>
> Hadn't heard of this; I'll have a look.
>
> >
> >> Thoughts, reviews, etc. welcomed.
> > Neither proposal seems to allow clients to specify a set of root CAs (to be
> > transmitted along with the envelope).  That lack is tantamount to assuming  
> that
> > the trust relationship is transitive.  Is it, or is it me?
>
> Rather than specify root CAs, REQUIRETLS has an option to require that
> certificates be verified via DANE (TLSA). My thought is that a sender
> that is concerned about PKI-related attacks probably wants to avoid the
> CAs entirely.
Originally, back in 2001, before DANE existed, I took a different tack on  
addressing the PKI issues, which is also described, less formally, here:
http://www.courier-mta.org/install.html#esmtpsecurity

Last time I checked, setting up DNSSEC is still a bit painful. Few  
registrars, TMK, support DNSSEC directly. Maybe this has changed.

pgpnDiVNn4Whr.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp