On Thu, Sep 05, 2013 at 02:17:39PM -0700, Ian Fette (イアンフェッティ) wrote: > 1. Ignore it and do what you would have done had you not seen the TLSA > record (per the DANE spec) > 2. Ignore the fact that it's lacking DNSSEC and treat it as "I should only > send mail over TLS and expect the following cert"
Why do you think (2) provides any advantage over (1)? If someone is actually in a position to MITM your SMTP connections, surely spoofing the odd TLSA record is going to be pretty easy, no? The only protection you have in that case is DNSSEC, I think? Best, A -- Andrew Sullivan [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
