* The draft attempts to introduce SRV-ID as a security mechanism
for mail services. SRV-ID does not require DNSSEC, but does
require that CAs be able to figure out which service providers
are legitimately hosting a given domain.
Is the objection that this is not realistic? I can see that it
won't always be an option. There is a class of service providers
for whom this is possible, namely those that are also WebPKI CAs.
So GoDaddy and the like would be able to issue SRV-ID certificates
for domains they host. Is that enough to justify including the
SRV-ID use-case in the draft?
Given the limited number of organizations that are both CAs and mail
hosts, it seems a poor idea to tell people to implement something
which will at best be flaky.
Or is it the case that you'd prefer text that says that the problem
has no broadly workable solution in the absence of DNSSEC?
Well, it's true.
R's,
John