--- draft-ietf-uta-email-tls-certs-07.xml 2015-12-16 18:44:03.699822067 +0100 +++ draft-ietf-uta-email-tls-certs-07+.xml 2015-12-16 19:20:06.485309685 +0100 @@ -362,6 +362,13 @@ + Use SRV records to redirect each hosted email service to a fixed domain, + deploy TLS certificate(s) for that single domain, and instruct users to + configure their clients with appropriate pinning (unless the SRV records + can always be obtained via DNSSEC). + + + Use a single TLS certificate that includes a complete list of all the domains it is serving. @@ -391,7 +398,7 @@ - Several Mail Service Providers host hundreds and even thousands of domain. + Several Mail Service Providers host hundreds and even thousands of domains. This document, as well as its predecessors RFC 2595, RFC 3207, RFC 3501 and RFC 5804 don't address scaling issues caused by use of TLS in multi-tenanted environments. @@ -510,6 +517,19 @@ + + + + The security warning in Section 6.6.4 of does not + apply to appropriately configured email services. In fact, that case considers + a different name appearing unexpectedly during a connection attempt. Section 7.1 of + discusses the context in which pinning occurs. + A context which provides for obtaining the target server name(s) beforehand + via an additional, unrelated communication path, for example on printed configuration + instructions, is to be considered as secure as the weakest of the paths involved. + + + Future work in this area might benefit from integration with DANE , but it is not covered by this document.