[Top] [All Lists]

Re: [ietf-smtp] New proposal: SMTP Strict Transport Security

2016-03-22 11:16:02
In the interests of unifying the threads, I'll drop this one and continue
on the main thread on the UTA mailing list. I think David's feedback is
obviated by Viktor's suggestion if we go that route, so it makes sense to
discuss the two together.

Sorry for the interruption.

On Mon, Mar 21, 2016 at 11:12 PM, Franck Martin 

----- Original Message -----
From: "David Schweikert" <david(_at_)schweikert(_dot_)ch>
To: "Daniel Margolis" <dmargolis(_at_)google(_dot_)com>
Cc: "Wei Chuang" <weihaw(_at_)google(_dot_)com>, "Mark Risher" 
Sent: Monday, March 21, 2016 1:12:12 PM
Subject: Re: [ietf-smtp] New proposal: SMTP Strict Transport Security

I think there are a couple of options for addressing this that involve
mechanism of policy "pointers". For example, you could instead say
that the
policy RR ( is merely a pointer to either a
(which contains the policy potentially served via an SNI-aware server)
or a
DNSSEC-served record (depending on your preferred authentication
mechanism). By
this approach the perishable bits of a policy can be hosted by the MX
and the *existence* of a policy still indicated by the policy domain

Yes. I was also thinking that having one level of indirection might
better fit the SMTP model of mail domain and mail hosts. Let me make
an example to see if I understand you right:

The RR could contain the policy like
"" and also publish that same information under Then, any client would need to
access and authenticate two HTTPS resources:

-   ->
-     -> mx:... a:...

may be a CNAME could do the same ?

ietf-smtp mailing list