https://tools.ietf.org/id/draft-dukhovni-smtp-opportunistic-tls-00.html
This proposed protocol supports opportunistic TLS with DANE
authentication resistant to MITM downgrade attacks.
Domains that publish DNSSEC signed MX records and corresponding
TLSA records support security via the DANE PKI when the sender
implements opportunistic DANE TLS.
Feedback welcome. The goal is encourage interoperable implementations
that incrementally increase the security of the Internet SMTP
backbone as DNSSEC and DANE are adopted.
This protocol does not promise unconditional secure delivery, the
sender will send via unauthenticated TLS or even plain-text when
a destination does not publish secure TLSA records for secure MX
hosts. However, it can be used for unconditional security with
sender-selected destinations by requiring a DANE authenticated
connection when the recipient domain is known/expected to publish
secure DANE TLSA RRs.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
