[Top] [All Lists]

Re: [ietf-smtp] why are we reinventing mta-sts ?

2019-10-07 07:37:03
On 10/7/19 5:11 AM, Daniel Margolis wrote:

I've only quickly skimmed the original thread, but it seems like the argument is about this magic DNS prefix for MX records that would indicate "this MX should offer STARTTLS", right?

As John says, the new proposal also requires DNSSEC, no? It seems like the primary difference is that the new proposal is simpler by indicating only that the server supports TLS, but not what identity it presents? Why is that desirable?

I didn't see this explicitly specified in the proposal, but IMO the server certificate should match the target of the MX record.

And depending on DNSSEC probably does impair the ability of this to be deployed.   But if DoT can be used instead of DNSSEC, it seems to me that this might be easier to deploy than MTA-STS.

Granted, MTA-STS exists already and enjoys some support.   A new proposal thus has a high bar to clear in order to be accepted as a standard.   But I don't think it's wrong to discuss other ideas.


ietf-smtp mailing list