>>>>> "TF" == Tony Finch <[email protected]> writes:
TF> James Cloos <[email protected]> wrote: >> Some comments: >> In that case the target mta might offer a cert which the client mta can >> authenticate by some means other than dane (eg a pool in CApath or the >> like). So 'insecurely' is not the right adverb. TF> The reason it says "insecurely" here is explained in the first couple of TF> paragraphs in the introduction. Perhaps I should add a back-reference. I must have forgotten the earlier note by the time I got down to that section. Perahps because I had to take some breaks while reading through it. A back-reference probably is a good idea. >> When would/could/should the To-domain not in its entirety match the string >> used for the A/AAAA and TLSA lookups? TF> They always match - that is what the text you quoted is supposed to mean. I always tend to read domain name more like dns zone than like host name. Even after all these years. You remind me that I should read it more akin to fully-qualified-domain-name. >> It seems odd that with is used for some auth but not all. Perhaps there >> should be a with keyword for tlsa, too? TF> Isn't that covered by RFC 3848? ESMTPSA and so forth. So ESMTPT is for any kind of TLS authentication of the starttls creds? Either tlsa rr or set of out-of-band-maintained trusted root certs? My instinct is that it would be useful to know *how* the starttls was authenticated, not just whether. (And, yes, by the time I got down that far I see that I did glaze over a bit. "when the client successfully authenticated the server." didn't click as intended, though it is obvious today. Modulus the above q.) -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
