On Sat, Oct 31, 2015 at 06:28:16AM +0100, Aaron Zauner wrote:
That article is referencing another paper, presented at IMC15 by
UMichigan, UCI and Google researchers, publicly available over here:
http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf
..there're also problems with some of the details in the article.
(Yeah, we haven't yet got any media exposure :))
Thanks for the clarification, the coincidence in the timing led me
astray into linking the article with the wrong paper.
I cringe every time someone bemoans the lack of "valid" certificates
in SMTP, such certificates are largely a worthless fashion statement.
(Some domains have bilateral arrangements with business partners
to verify email traffic certificates, but these arrangements are
exceedingly rare).
Yes. But even for mail there're valid points to use official
certificates (i.e. nodes clients talk to).
Yes, WebPKI are well suited for submission, POP and IMAP.
For MTA to MTA
communication various solutions have been suggested, to the best of
my knowledge none is widely deployed so far.
Yes, none are even lightly deployed. At some tens of thousands of
domains, DANE deployment is still rather negligible, I am hoping
that will start to change in 2016.
Hence, DANE for SMTP and related efforts. No mass-scale use of
end-to-end encryption is looming to save the day, so transport
security is finally getting the attention it deserves. My DANE
survey is at 9000 domains and counting, with adoption picking up
the pace a bit lately. Some domain hosting providers have implemented
tens of thousands of additional DANE domains that do not show up
in my surveys. It is still very early in the process, but I am
cautiously optimistic.
Is data on your DANE survey publicly available anywhere or are there
more details on that? I'd be very interested in the results.
I am not doing research, so the results are not intended for
publication. Rather I am monitoring deployment, and clearing
hurdles to deployment by notifying operators of nameservers that
handle DNSSEC poorly and operators of domains who publish incorrect
or stale TLSA records.
In ~September last year I was able to identify only ~200 DANE
domains and around 4000 domains whose DNS breaks DANE. Now it is
9000+ DANE domains, and under 100 domains whose DNS breaks DANE.
Of the 9000 domains, 6200 are hosted by 3 registrars, most of the
rest are domains operated by individual "hobbyists". However 27
domains (up from 24 two weeks ago) are "large enough" to appear to
Google's email transparency report.
At least 40% of the domains are registered in Germany.
--
Viktor.