In article <20191009082225(_dot_)GA9444(_at_)gsp(_dot_)org> you write:
(more generally) Making email more secure/private is goodness. Doing it
via multiple kludges based on TXT records and hostnames and HTTP and
so on is not. I'm (painfully) well aware of the obstacles in the way
of doing it cleanly, but doing it this way incurs debt that sooner or
later we'll have to pay.
Mta-sts was hashed out at a dinner at the Buenos Aires IETF meeting.
Everyone knew what the tradeoffs were, and that the web server with a
fixed name is a kludge. What it basically boiled down to was that
if they had to choose between needing a web server and needing DNSSEC
before they could deploy, they picked the web server.
I do both mta-sts and TLSA and I can assure you that the practical
obstacles to getting DNSSEC deployed remain painful. I provide DNS
for a lot of domains where I am not the registrant or registrar, and
the only way to get the DS record installed is to log in with the
registrant's password which for obvious I don't want to do. There
are also still some TLDs that don't do DNSSEC at all.
ietf-smtp mailing list