Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uni

ietf

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

2015-03-01 14:27:57

On Sun, Mar 01, 2015 at 10:21:33AM -0500, Phillip Hallam-Baker wrote:

On Sat, Feb 28, 2015 at 5:27 PM, Mark Andrews <marka(_at_)isc(_dot_)org> 
wrote:


And that is coming "_25._tlsa" and it uses DNSSEC to prevent the
downgrade.


Typo fix: that "_25._tlsa" is of course "_25._tcp".

Whether your MTA uses STARTTLS or not is another matter
but we can prevent downgrade attacks from succeeding.


If the MTA implements opportunistic DANE TLS, and usable TLSA
records *are* published, then it MUST use STARTTLS and authenticate
the peer via said TLSA records.

    http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2

In particular make it possible to explicitly specify criteria such as 'use
TLS transport' or 'XYZ authentication is required'.


For both MX and SRV the DANE WG has settled on publication of TLSA
RRs to signal both "TLS is required" and "DANE authentication is
required".

-- 
        Viktor.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Phillip Hallam-Baker Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Viktor Dukhovni <= Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Mark Andrews Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Phillip Hallam-Baker Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, John C Klensin Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Viktor Dukhovni Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Sam Hartman Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Viktor Dukhovni Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Pete Resnick Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Mark Nottingham Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Patrik Fältström Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Mark Nottingham

Previous by Date:	Re: [Diversity] 'Paywall, ' IETF self-sufficiency, increasing participation (was Re: Remote participation fees), Pranesh Prakash
Next by Date:	Re: [Diversity] 'Paywall, ' IETF self-sufficiency, increasing participation (was Re: Remote participation fees), Ted Lemon
Previous by Thread:	Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Phillip Hallam-Baker
Next by Thread:	Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Mark Andrews
Indexes:	[Date] [Thread] [Top] [All Lists]