On Sat, Jan 04, 2014 at 03:11:16PM -0500, Jeffrey Walton wrote:
> > ... A substantive comment that argues that DANE adds
> > nothing new to SMTP would begin by explaining in detail how SMTP
> > to MX TLS security is possible without DNS data integrity (thus
> > making it possible to not trust the root zone signature or any
> > additional trust-anchors for critical peer domains).
>
> Bingo! DNS cannot be trusted. Pushing keys and configuration into DNS
> is just moving the key distribution problem around.
If anyone else thinks that DANE for SMTP is "obviously" wrong, do
us all a favour and carefully read the draft, then give it some
thought. Then consider how you would practically improve SMTP
transport security.
Once you've read the draft, explain how to secure SMTP to MX without
relying on DNSSEC. Then criticize trusting DNSSEC if you think it
still makes sense.
I will not respond to further critiques pointing out "obvious"
problems with DANE for SMTP.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
