On Mon, May 20, 2013 at 08:16:11AM -0700, Paul Hoffman wrote:
> On May 20, 2013, at 7:09 AM, Viktor Dukhovni <[email protected]> wrote:
>
> > This proposed protocol supports opportunistic TLS with DANE
> > authentication resistant to MITM downgrade attacks.
>
> This seems like really important work. Lots of people turn on
> STARTTLS in SMTP with no actual certificate verification because
> the want better than nothing security but don't want the operational
> overhead of actually rejecting bad TLS. It seems like this proposal
> actually gets them better protection with the same lack of overhead
> if they don't want to reject. It also gives those who want to reject
> bad TLS a better basis to do so.
I should note that my draft substantively overlaps draft-ietf-dane-smtp-01.
Core differences:
- The new draft includes a more expansive treatment of the semantics of the
various TLSA RR types in the context of SMTP.
- The new draft addresses SMTP submission with RFC 6409 SRV records.
- The new draft specifies the target of a CNAME as the base name for TLSA
lookups with MX hosts (and with non-MX domains).
Since https://tools.ietf.org/html/draft-ietf-dane-smtp-01#section-3
also specifies opportunistic security, the core premise is common
to the two drafts. Perhaps the two drafts can be merged.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
