[Top] [All Lists]

Re: [ietf-smtp] New proposal: SMTP Strict Transport Security

2016-03-21 11:50:41
Hi Mark,

On Mon, Mar 21, 2016 at 02:45:47 +0100, Mark Risher wrote:
The initial draft is at
draft-margolis-smtp-sts/ and we hope to discuss this at the Buenos Aires
meeting next month. While we have deployed a prototype/reference 
among the authors, we are very open to feedback and suggestions from the
broader group and look forward to your input.

I find this really interesting, thanks for it! I especially like also
the DMARC-style reporting, which really should help administrators in
deploying this. When the day comes that DANE is well-established, it
could be that the reporting functionality is what really remains as
useful in SMTP STS.

Something that I wondered, is how easy it is for people to deploy a HTTPS
resource using the mail-domain as domain. You mentioned as an example and the way I
understand the current spec, is that the domain part must be ""
and can't be a subdomain, right? That might be a challenge...

What about possibly fetching the resource from an URL like ? That might make it easier to deploy,
because you don't need to deploy something completely unrelated on your

Also, I wonder how this is supposed to work for big hosters (like Google
:)): are customers going to copy-paste the Google policy for their
Google-hosted domains? This might get more and more problematic if more
features are added to the spec (like CA-pinning, etc.).


ietf-smtp mailing list