Hi Mark,
On Mon, Mar 21, 2016 at 02:45:47 +0100, Mark Risher wrote:
The initial draft is at https://datatracker.ietf.org/doc/
draft-margolis-smtp-sts/ and we hope to discuss this at the Buenos Aires
meeting next month. While we have deployed a prototype/reference
implementation
among the authors, we are very open to feedback and suggestions from the
broader group and look forward to your input.
I find this really interesting, thanks for it! I especially like also
the DMARC-style reporting, which really should help administrators in
deploying this. When the day comes that DANE is well-established, it
could be that the reporting functionality is what really remains as
useful in SMTP STS.
Something that I wondered, is how easy it is for people to deploy a HTTPS
resource using the mail-domain as domain. You mentioned as an example
https://example.com/.well-known/smtp-sts/current and the way I
understand the current spec, is that the domain part must be "example.com"
and can't be a subdomain, right? That might be a challenge...
What about possibly fetching the resource from an URL like
https://_smtp_sts.example.com/... ? That might make it easier to deploy,
because you don't need to deploy something completely unrelated on your
homepage.
Also, I wonder how this is supposed to work for big hosters (like Google
:)): are customers going to copy-paste the Google policy for their
Google-hosted domains? This might get more and more problematic if more
features are added to the spec (like CA-pinning, etc.).
Cheers
David
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp